ClawHub

context-surfing

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it should be reviewed because it can automatically run during broad multi-step work and persist detailed session content in local handoff files without explicit redaction or consent requirements.

Install only if you want automatic context-continuity behavior during multi-step work and are comfortable with local handoff files that may contain task details, plans, prompts, and session summaries. Avoid using it in repositories or sessions containing secrets, customer data, credentials, incident details, or proprietary prompts unless you first add clear rules requiring explicit approval, redaction, and cleanup of handoff/session artifacts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
89% confidence
Finding
The skill is defined to auto-activate for essentially any multi-step task, which can cause it to run invasive behaviors without clear user intent or operator approval. In this context, auto-activation matters because the skill also instructs file scanning, persistent state handling, and eventual repository writes, expanding its reach across ordinary sessions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The Activation section says the skill becomes live automatically whenever plan and intent artifacts exist, but gives weak guidance for when it must stay off. That ambiguity increases the chance the agent will apply persistent-session logic and drift workflows in contexts where the user did not consent to extra reads, logging, or stateful behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs the agent to create `.context-surfing/` files and modify `.gitignore` as part of its exit flow, but does not require prior user approval for repository changes. Silent writes to the workspace are risky because they alter project state, may interfere with tooling or policy, and can introduce artifacts the user did not request.

Ssd 3

Medium
Confidence
93% confidence
Finding
The skill encourages persistent capture of prompts, tool calls, file modifications, checkpoints, and session explanations in external logs and transcripts. That creates a meaningful data leakage risk because secrets, proprietary code paths, user instructions, and operational details may be preserved beyond the immediate session and exposed through later reads, tooling, or repository artifacts.

Ssd 3

Medium
Confidence
96% confidence
Finding
The handoff template explicitly tells the agent to copy intent frames, plans, original task descriptions, completed work, and session details verbatim into reusable files. Verbatim persistence is dangerous because it can store sensitive user content, internal architecture notes, credentials accidentally revealed in prompts, or confidential work summaries in plaintext files that may later be read, indexed, or committed.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal