ClawHub

06 AI总结

Security checks across malware telemetry and agentic risk

Overview

The skill broadly matches its AI summarization purpose, but it needs review because it can send user text to external AI providers and silently keep copies on disk.

Review the missing llm_client.py/llm_config.py before installing or using this skill. Avoid pasting confidential content unless you trust the selected AI provider and its data policy, use limited-scope API keys, install dependencies in a virtual environment with pinned versions, and inspect or delete ~/.ai_summary.db if it may contain sensitive material.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill stores full user content and generated summaries in a local SQLite database under the user's home directory, which introduces persistent retention of potentially sensitive data beyond transient summarization. This is risky because users may reasonably expect a summarization tool to process content ephemerally, and local persistence increases the chance of later disclosure through local access, backup sync, or subsequent export/search features.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The export function writes to an arbitrary path supplied by the caller without validation or confinement to a safe directory. If this skill is exposed through an agent or automation context, an attacker could cause unintended file creation or overwriting in user-accessible locations, potentially clobbering important files or planting misleading content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently encourages users to summarize content with third-party LLMs, but it does not clearly warn that user content may be transmitted to external providers. This creates a meaningful privacy and data-governance risk because users may submit work reports, meeting notes, or project materials assuming local-only processing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User content is sent to an external LLM provider for summarization without any explicit notice, consent, or sensitivity filtering at the call site. This creates a privacy and data-handling risk because users may paste confidential material, assuming local-only processing, while the tool silently transmits it to third-party services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The review flow sends complete project goals, results, and metrics to an external chat API without warning or user control. Project review data often contains sensitive business information, making silent third-party transmission a meaningful confidentiality risk.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The summarize_content flow automatically saves content and summaries when a title is present, but the CLI does not clearly disclose this persistence behavior before collecting input. This can lead to unintentional retention of sensitive text on disk, especially for users who assume the tool is stateless.

Ssd 3

Medium
Confidence
91% confidence
Finding
The application stores full user content and later exposes related data via history, search, and Markdown export, creating multiple avenues for sensitive information to be resurfaced beyond the original interaction. This broadens the blast radius of any accidental disclosure, unauthorized local access, or unintended sharing of exported files.

Ssd 3

Medium
Confidence
93% confidence
Finding
The project review prompt includes all user-supplied goals, results, and metrics and sends them to an external LLM without any data classification, minimization, or sensitivity boundary. In a project-review context, these fields can contain roadmap, financial, operational, or customer-sensitive information, making over-sharing to third parties materially dangerous.

Unpinned Dependencies

Low
Category
Supply Chain
Content
# AI总结复盘技能 v2.0 依赖

# 核心依赖(支持多个大模型)
openai>=1.0.0

# 可选依赖
anthropic>=0.18.0
Confidence
88% confidence
Finding
openai>=1.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
openai>=1.0.0

# 可选依赖
anthropic>=0.18.0

# 注意:无需额外依赖,技能可与基础版共存
Confidence
95% confidence
Finding
anthropic>=0.18.0

Known Vulnerable Dependency: anthropic — 2 advisory(ies): CVE-2026-34450 (Claude SDK for Python has Insecure Default File Permissions in Local Filesystem ); CVE-2026-34452 (Claude SDK for Python: Memory Tool Path Validation Race Condition Allows Sandbox)

Low
Category
Supply Chain
Confidence
97% confidence
Finding
anthropic

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal