ClawHub

Planning with files

Security checks across malware telemetry and agentic risk

Overview

The skill appears intended for session recovery, but it can read and print past agent conversations from outside the current workspace without clear consent or redaction.

Treat this as a Review item before installing. Only use it if you are comfortable letting it inspect historical agent session records, and prefer a version that requires explicit opt-in, scopes recovery to the current project, redacts secrets, and shows summaries by default instead of raw transcript content.

Publisher note

Fixed POSIX init-session.sh portability across the 8 mirrors (PR #169). The script's shebang is #!/usr/bin/env bash, but tests/test_init_session_slug.py:27 invokes it via sh, bypassing the shebang. On Ubuntu where /bin/sh is dash, the while [[ $# -gt 0 ]] bashism was a syntax error. v2.42 swaps to POSIX while [ $# -gt 0 ] so the slug-mode test suite runs portably under both bash and dash. Added Install-scope transparency block in canonical SKILL.md (Turn-Loop Integration section). Documents that /plugin install ships the commands/ folder with /plan-goal and /plan-loop, but npx skills add (and ClawHub) install only skills/planning-with-files/ and do not register the wrapper slash commands. The PreCompact hook is in the SKILL.md frontmatter and works for both routes. Manual fallback procedure for /plan-goal and /plan-loop inline in the canonical SKILL.md. Lets the agent reproduce wrapper semantics by issuing Claude Code's native /goal and /loop primitives directly. Also covers the disable-model-invocation refusal pattern from anthropics/claude-code #26251 and #41417 where some sessions decline to fire the wrapper even when the user types it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script enumerates and reads prior session transcript files from tool-managed storage outside the project workspace, then uses that data to reconstruct and summarize prior user/assistant exchanges. Even though this is framed as session recovery, it crosses a clear trust boundary and can expose secrets, prompts, file paths, commands, or unrelated sensitive context from earlier sessions without explicit user consent at runtime.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The OpenCode path resolution reads from environment-derived data directories and accesses a global SQLite session database unrelated to the declared planning files. This expands the skill's data reach beyond the workspace and creates a privacy risk because session records for the current directory may still contain sensitive historical content that users do not expect this skill to inspect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The catchup report prints prior user messages, assistant text, and tool activity directly to output with no warning, consent, or redaction. That can leak secrets from previous sessions into the current context, terminal logs, screenshots, or downstream model inputs, turning passive recovery logic into active sensitive-data disclosure.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The template explicitly instructs the agent to use "attention manipulation," which is not necessary for normal task planning and can steer model behavior in ways the user did not request or consent to. In a persistence/planning skill, this is especially risky because the instruction can be repeatedly surfaced during long-running tasks, reinforcing unintended behavioral influence across many tool calls.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal