ClawHub
Back to skill

Security audit

Context Guardian

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it should be reviewed because it makes always-on, sometimes silent local memory of conversations and preferences across sessions.

Install only if you deliberately want proactive local memory in the workspace. Before using it, decide whether silent saves are acceptable, review the memory files periodically, avoid storing secrets or sensitive personal details, and tell the agent to ask before saving or loading notes if you want tighter control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill goes beyond passive context management by directing the agent to persist conversation content and user preferences to workspace files as a default behavior. Because this is framed as always-on and not gated by explicit user consent or data minimization, it creates unnecessary retention of potentially sensitive user information.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically scanning today's and yesterday's notes at the start of every session expands the skill from context-rot prevention into proactive surveillance of previously stored data. This increases exposure of prior-session content without fresh consent and may surface sensitive information unrelated to the current task.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The pruning, archival, and long-term memory management workflows materially expand the skill's scope beyond preventing context degradation in a single conversation. Managing archives and long-term memory files increases retained data volume and creates additional opportunities for unauthorized access, overcollection, and stale sensitive data persistence.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The setup guide expands the skill from passive context-quality monitoring into automatic persistence, rereading, and file management of user conversations. That creates undocumented data collection and retention behavior, increasing privacy and scope-creep risk because users may not realize the skill stores and reuses prior discussion content across sessions.

Vague Triggers

High
Confidence
97% confidence
Finding
The skill explicitly says to use it always and defines triggers broad enough to activate in nearly every session. An always-on skill with file access and note-taking authority materially raises risk because it can collect and persist data continuously, even when context management is unnecessary.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill tells the agent to save important information and user preferences to files, but it does not provide a clear upfront notice that conversation data will be persisted across sessions. Silent or implicit persistence undermines user expectations and can lead to accidental storage of sensitive personal, business, or credential-adjacent information.

Missing User Warnings

High
Confidence
99% confidence
Finding
The instruction to perform routine saves silently is especially risky because it normalizes undisclosed persistence of user data. This removes informed consent at the point of collection and makes it harder for users to control what is written, reviewed, or deleted later.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide states the AI will automatically save notes and read prior notes, but the overall skill description does not clearly warn users that workspace files will be read from and written to automatically. Hidden or insufficiently disclosed file access is dangerous because it undermines user consent and can expose sensitive local project data or prior conversation notes without an explicit approval moment.

Ssd 3

Medium
Confidence
95% confidence
Finding
Directing the agent to save broad discussion summaries, decisions, action items, and user preferences across sessions creates a natural-language data retention channel. In practice, this can accumulate sensitive personal or organizational context that later sessions, tools, or other users may access in ways the original user did not intend.

Ssd 3

Medium
Confidence
96% confidence
Finding
The 'save immediately' instruction encourages aggressive capture of information as it appears, before the sensitivity or necessity of that information is evaluated. Combined with silent operation, this creates a high likelihood of overcollection and persistence of data the user never intended to store.

Ssd 3

Medium
Confidence
95% confidence
Finding
Automatically reading prior notes each session broadens access to previously stored user data without a current-session need-to-know decision. This increases the chance that stale, sensitive, or irrelevant information influences responses or is exposed during unrelated work.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction to write comprehensive end-of-session notes covering everything discussed, preferences, reasoning, and future work creates a broad data capture pattern with little limitation. Comprehensive summaries are likely to contain sensitive or identifying details and significantly enlarge the retained attack surface over time.

Ssd 3

Medium
Confidence
97% confidence
Finding
Automatically saving notes and rereading yesterday's and today's notes creates a persistent natural-language memory channel that may contain secrets, personal data, internal plans, or other sensitive content. Because the data is resurfaced in later sessions, information can be retained longer than the user expects and accidentally disclosed in unrelated contexts or to other users sharing the workspace.

Ssd 3

Medium
Confidence
96% confidence
Finding
The 'starting fresh' workflow instructs the AI to save everything discussed and then reload it in a new session, which can persist sensitive conversation content wholesale. This increases the chance of oversharing, stale-context leakage, and retention of information that should have expired with the original session.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal