ClawHub

llm-wiki SKILL inspired by Karpathy

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local wiki helper that reads source documents and updates Markdown wiki files, with optional embedding integrations that users should enable carefully.

Install this only in a workspace where you are comfortable letting an agent read source materials and modify wiki Markdown files. Keep embeddings disabled unless you intentionally configure a trusted provider, and review dry-run diffs before applying merge or relink changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The merge command advertises a safe merge between source and target pages, but it never uses source_page content and instead builds context with `target: args.source`, which is semantically inconsistent and can cause unintended modifications to the target page. In an agent-driven workflow, this can silently corrupt knowledge base contents, misattribute provenance, and cause downstream automated edits based on false relationships.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README promotes optional embedding and API-based retrieval while only briefly mentioning privacy/cost tradeoffs, without a prominent upfront warning that wiki content may be transmitted to external services when those features are enabled. In a knowledge-management skill, users may ingest sensitive research notes or proprietary documents, so understated disclosure can lead to unintended data exfiltration to third-party providers.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase for ingest is very broad and could cause the skill to activate on loosely related user text, leading the agent to read sources and modify wiki files without sufficiently explicit intent confirmation. Because ingest also performs writes, linking, stub creation, and log updates, accidental invocation has real integrity impact on the repository.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The batch-link trigger is ambiguous and can initiate a high-scope operation affecting many recent pages, which increases the chance of unintended large-scale content changes. In a knowledge-management skill, global relinking can silently rewrite relationships across the wiki and amplify errors from a mistaken invocation.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The ingest/archive workflow description does not prominently warn that these actions write to and modify repository content, including creating pages, updating cross-references, and appending logs. Users or host agents may interpret the skill as largely read/query-oriented and unintentionally authorize state-changing actions, which can lead to unwanted data integrity changes.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly instructs output in Chinese ('来源类型片段库', all templates written as mandatory Chinese-language content) without any indication that language should follow user preference or agent context. This can override user intent, reduce usability, and create prompt-steering behavior where downstream generations ignore requested language, though it does not directly enable code execution or data exfiltration.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The query trigger pattern "查询.*wiki.*" is broad enough to activate on many ordinary messages that merely mention a wiki, which can cause the skill to run unexpectedly. In a high-priority skill with access to CLAUDE.md, wiki/index.md, and log.md, unintended activation can expose internal context or cause actions to occur when the user did not explicitly invoke the skill.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The ingestion trigger "请摄入.*到.*wiki" does not constrain source type, target scope, or trust boundary, so casual natural-language requests may invoke ingestion on unintended content. Because ingestion changes the knowledge base, an attacker or accidental prompt could poison the wiki, import sensitive files, or create persistent bad state for later retrieval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal