ClawHub

Chat History Local

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is meant to search local chat history, but it grants broad raw database access to private messages using the PostgreSQL admin user without clear consent or read-only limits.

Install only if you intentionally want an agent to query your local WhatsApp/chat audit database. Before use, prefer a dedicated read-only database role limited to the messages table, require explicit user authorization for each lookup, keep searches scoped by chat/date/person, and avoid exposing unrelated cost/model telemetry or broad private conversation dumps.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is named and described as a chat-history lookup tool, but the documentation also instructs the agent to access an audit-log table for LLM cost and usage analysis. This expands the skill’s operational scope beyond user-expected message search and creates a pathway for unintended access to adjacent sensitive business telemetry without clear authorization boundaries.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Granting model-usage and cost-analysis capability inside a chat-history skill violates least privilege and weakens purpose limitation. An agent invoked for everyday conversation lookup could be steered into exposing internal operational data that is unrelated to the user’s request and may be commercially sensitive.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation text is broad enough to trigger on common phrases about past discussions or what someone said, which increases the chance the skill is invoked without a strong privacy or authorization check. In a skill that accesses audit-log chat content, overbroad triggering materially raises the risk of unnecessary retrieval of sensitive personal communications.

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill exposes direct access to stored WhatsApp/chat history but provides no user-facing privacy warning, consent requirement, or authorization check. Because the content involves personal communications in an audit-log database, this omission increases the likelihood of privacy violations, unauthorized disclosure, and non-compliant handling of sensitive message data.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal