ClawHub
Back to skill

Security audit

i-skill

Security checks across malware telemetry and agentic risk

Overview

This skill persistently stores a local personalization profile and related logs, but that behavior is disclosed and fits its stated purpose.

Install only if you want persistent local personalization. Treat the generated profile and logs as personal data, keep ISKILL_DATA_PATH unset or pointed at a private dedicated directory, and use the view, pause, reset, or delete commands if the profile becomes inaccurate or too sensitive.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares no permissions while explicitly describing use of environment variables, persistent file reads/writes, and helper scripts that manage local state and logs. This under-declaration prevents proper user/platform review of the skill's real capabilities and increases the risk of unauthorized data access or persistence, especially because it processes sensitive personalization data.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The public description presents a narrow personalization function, but the skill also maintains multiple audit/defensive logs, consent state, versioned profile storage, and related lifecycle management. This mismatch undermines informed consent because users may activate the skill expecting transient conversation analysis, while the skill actually performs broader persistent data handling and logging.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This module exposes cross-skill activity summaries, recent activity, and anomaly reporting capabilities that go beyond the declared purpose of generating personalized interaction guides. In a multi-skill environment, this can create an unnecessary surveillance surface and enable collection or inference of other skills' behavior, access patterns, and defensive events without a clear need-to-know boundary.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
Allowing ISKILL_DATA_PATH to override the storage root introduces externally controlled data-placement behavior that is not clearly required for personalization. If an attacker or untrusted runtime can influence environment variables, logs and metrics may be redirected to shared, sensitive, or attacker-observable locations, weakening isolation and confidentiality.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This module persists consent state and a separate conversation log to disk and exposes retrieval APIs for both history sets, which goes beyond a narrowly scoped personalization helper. Even if the data is framed as consent-related, retaining and exposing conversation-linked records increases privacy risk, especially because the skill description is about generating personalized interaction guides rather than operating a long-term audit store.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
The module includes broad administrative and reporting functions such as listing all consent states, clearing pending requests, summarizing all skills, and retrieving logs/history. In the context of a personalization skill, these capabilities expand access to sensitive metadata and create an unnecessary internal control plane that could be abused by other code paths to inspect or manipulate user consent state beyond the immediate need.

Natural-Language Policy Violations

Medium
Confidence
79% confidence
Finding
Defaulting to Chinese for existing profiles without explicit user choice can cause unintended language preference inference and may expose profile-derived assumptions in a language the user did not request for the current session. While not a direct code-execution issue, it is a privacy and consent weakness because the system applies stored preference data automatically after activation.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The clear_log() function permanently wipes audit or defensive logs with no confirmation, authorization check, retention control, or tamper-evident trail. Because audit logs are security-relevant records, easy deletion can erase evidence of misuse or incident activity and undermine accountability.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code writes consent state and conversation-related records to disk without any visible disclosure in the same consent flow that these records are retained locally. This creates a transparency and privacy problem: users are asked to authorize profile access, but the implementation also stores durable metadata and logs that a user may not reasonably expect.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
### Pause / Resume

- **Pause**: Execute immediately, no confirmation required. Change state `status` to `paused`, retain all profile data
- **Resume**: Execute immediately, no confirmation required. Change state `status` back to `active`, re-read profile to resume personalization service

---
Confidence
72% confidence
Finding
no confirmation

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal