ClawHub

knowledge is what brings us together

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed personal knowledge-base skill with local file, memory, and git side effects that fit its stated purpose, but users should avoid storing sensitive material they would not want recalled later.

Install this only if you want an agent-managed local knowledge base that can be remembered and reused later. Use a dedicated non-sensitive folder, avoid adding secrets or private documents, review import and reorganization plans before approving them, and only configure or push a git remote if you intentionally want the knowledge base synced elsewhere.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

High
Confidence
96% confidence
Finding
The activation trigger is extremely broad: it tells the agent to search and use the knowledge base for 'ANY topic' and 'when in doubt, check the knowledge base.' That can cause the skill to activate during ordinary conversations and pull prior stored content into responses without a clear user request, increasing the risk of unintended disclosure and over-collection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to persist the knowledge-base path and maintain an index in memory across sessions, but it does not warn the user that this metadata will be retained. That creates a transparency and consent problem: users may not realize the system is storing durable references to local locations and topical summaries beyond the current interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill authorizes creating directories, initializing git, and committing changes on the local filesystem, but it does not prominently warn the user that local files will be created and modified. This can surprise users and lead to unintended repository creation, file writes, or persistent history of captured content.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill is designed to store user-derived knowledge and proactively reuse it across sessions and unrelated prompts. That creates a natural-language data leakage channel because prior private material can influence later answers even when the user did not request retrieval in the current context.

Ssd 3

Medium
Confidence
93% confidence
Finding
Persisting the knowledge-base path and a durable memory index means user data references survive beyond the immediate task and session. Even if the index is lightweight, it can expose sensitive topics, behavioral patterns, or local path information to later interactions or other subsystems that consult memory.

Ssd 3

Medium
Confidence
97% confidence
Finding
Requiring the memory index to remain 'always in context' before activation materially increases leakage risk because stored categories and topics are continuously available for use. This makes accidental disclosure more likely during unrelated prompts, especially when the agent is instructed to treat the knowledge base as an extension of memory.

Ssd 3

High
Confidence
98% confidence
Finding
The recall workflow explicitly instructs the agent to load stored knowledge into working context and use it proactively without being asked. In this skill, that context makes the issue more dangerous because the stored material can come from arbitrary URLs, files, and user-provided content, so unrelated conversations may reveal prior private information or inferred interests.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal