ClawHub

Multi Group Chat Manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent group-chat management tool, but it can collect chat history and build lasting user profiles without strong built-in privacy controls.

Install only if you administer the relevant groups and can give members clear notice that messages may be used to build local profiles and scores. Keep the OneBot endpoint bound to localhost or otherwise protected, configure only intended groups, restrict access to generated profile/log files, and add or verify real authorization, deletion, and retention controls before relying on the privacy claims.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (11)

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The privacy section claims data is kept local and not uploaded to any server, but the same skill requires fetching group messages through an HTTP API endpoint. Even if OneBot is local in many deployments, the blanket statement is misleading and can cause unsafe operator assumptions about data flow, trust boundaries, and exposure to remote or misconfigured endpoints.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
`query_detail` returns a user's full scoring history, timestamps, and reasons, yet it contains no authorization check despite being labeled 'for administrator use'. Any caller that can reach this function can enumerate sensitive behavioral records about other users, which creates an information disclosure and privacy violation risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill is designed to collect, analyze, and persist group chat messages and build per-user profiles, but the documentation lacks a clear upfront warning about consent, notice, retention, and privacy impact before deployment. In a multi-user chat setting, silent profiling increases the risk of unauthorized surveillance, policy violations, and legal/privacy noncompliance.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The detailed query exposes retained per-user activity history, including score changes, timestamps, and free-text reasons, without any visible consent, warning, or retention controls. In a group-chat management context this can reveal behavioral profiling data to unauthorized parties or even authorized operators beyond what users reasonably expect.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The module persistently stores user-supplied memory content in per-user JSON files without any visible consent, disclosure, retention notice, or privacy control at the storage boundary. In a chat-manager context that builds user profiles and affinity scores, this can silently accumulate sensitive personal data and create privacy, compliance, and secondary exposure risk if the host is accessed or files are mishandled.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The fetch/recent commands print full message bodies, sender identifiers, nicknames, and raw message structures to stdout as JSON without any consent prompt, redaction, or operator warning. In practice this can expose private group-chat content to logs, downstream tools, or other users of the host environment, especially because the script is explicitly designed to collect complete history.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The scan workflow writes collected chat-derived data into the profile memory system automatically, reinforcing user profiles based on message content without any visible notice, confirmation, or data-minimization control at execution time. This creates a privacy and surveillance risk because ordinary chat messages are transformed into persistent behavioral records.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists user profiling data to local JSON files and a memory store without any built-in notice, consent, retention control, or access restriction visible in this code path. Because the stored data includes behavioral traits, preferences, facts, and group roles, silent collection and retention increases privacy and compliance risk if operators enable it without informing users or securing the host.

Ssd 3

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to retain raw group messages, derive long-lived per-user profiles, and disclose profile contents on demand in private chat. That creates a powerful natural-language surveillance and disclosure channel: an authorized or compromised requester can retrieve inferred personal traits and historical behavioral summaries that users may not expect to be stored or shared.

Ssd 3

High
Confidence
97% confidence
Finding
The file-level design explicitly instructs the collector to pull complete group chat history and integrate that content into profiling and affection systems, expanding collection beyond a minimal operational need. Because the system is meant to gather full records and feed them into downstream analysis, compromise or misuse would expose sensitive communications at scale and enable persistent profiling of users.

Ssd 3

High
Confidence
98% confidence
Finding
The scan workflow aggregates all message texts and per-user histories into a result object for AI analysis and also persists derived reinforcement data, creating a concentrated store of sensitive chat content and behavioral metadata. This is dangerous because it couples bulk collection, broad exposure, and long-term profiling in a single path, increasing the blast radius of operator misuse, logging leaks, or downstream model ingestion.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal