ClawHub

Reader

Security checks across malware telemetry and agentic risk

Overview

This skill locally reads user-selected text and document files, creates simple summaries or comparisons, and keeps a local history file with no evidence of cloud transfer or destructive behavior.

Install only if you are comfortable with a local history file recording which document paths were summarized, briefed, or compared and when. Avoid using it on highly sensitive files unless you accept both the agent processing the content and the local retention of file path metadata; delete the reader history file if you want to clear that record.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no explicit permissions, but its documented workflows and storage model clearly require reading local files and writing to a history file. That mismatch is risky because it hides the true capability surface from users and policy enforcement, reducing transparency and potentially enabling broader file access than expected.

Description-Behavior Mismatch

Low
Confidence
95% confidence
Finding
The script persists comparison session metadata (including the two file paths and a timestamp) to history storage even though the skill is described as local-first reading/distillation with no external sync. While there is no evidence of network exfiltration, this still creates an undisclosed local data-retention surface that can expose sensitive filenames, directory structures, and user activity to other local users, later processes, or backups.

Description-Behavior Mismatch

Low
Confidence
89% confidence
Finding
The script records per-run session metadata to persistent local history even though the skill is presented as a local reading/distillation tool with no clear disclosure that usage history is retained. While it does not exfiltrate data or store document contents here, persistent logging of filenames and timestamps can expose sensitive work patterns or document names on shared systems.

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The script records summary session metadata, including the source file path and timestamp, to persistent history without any indication in the skill description or user-facing disclosure. In a local-first reading tool, undisclosed retention can expose sensitive document names, project structure, or usage patterns beyond the immediate task, which creates a privacy and data-minimization issue even if no content is stored.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description uses very broad invocation language such as 'use whenever the user wants to read, summarize, extract key points, compare documents' and references many common tasks. This can cause the skill to activate for a wide range of ordinary requests, increasing the chance it is invoked on sensitive local content and expands its effective access beyond what users specifically intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes comparison metadata to persistent storage without any warning, consent, or visible indication to the user. In a document-reading skill, users may process sensitive internal files, and silently retaining filenames and timestamps can leak confidential project names, personal data hints, or usage patterns despite the 'local-first' positioning.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The code writes local usage history without any user-facing warning, which creates a privacy issue because users may reasonably assume a local reader only processes the current input transiently. In this context, even local-only persistence can be sensitive because filenames and timestamps may reveal confidential document topics, client names, or reading activity.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The code writes session metadata to history silently, with no user-facing notice at runtime. Even though the data stored appears limited, silent persistence in a tool expected to process potentially sensitive local documents can surprise users and leak operational context such as which files were summarized and when.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal