ClawHub

skill-state-manager

Security checks across malware telemetry and agentic risk

Overview

This skill is a credential helper, but it tells agents to collect API tokens in chat and persist them locally without adequate safeguards.

Review carefully before installing. Use only narrowly scoped, revocable tokens, avoid pasting real secrets into normal chat when possible, verify exactly where files are written, restrict file permissions, and rotate or delete stored credentials when they are no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill metadata says it should be invoked whenever a tool requires authentication or returns 401/403, which is broad enough to capture many unrelated workflows and increase the chance the assistant solicits credentials unnecessarily. In this skill’s context, over-triggering is dangerous because the prescribed action is to ask for secrets in chat and persist them locally, expanding credential exposure beyond the minimum necessary scope.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs the assistant to save user-provided API keys and tokens directly to local JSON files, but it does not provide a meaningful warning about sensitivity, file permissions, retention, or risks from chat capture and local compromise. This creates a clear path to persistent secret exposure if the host is shared, backups are synced, logs are collected, or files are read by other tools or users.

Missing User Warnings

High
Confidence
98% confidence
Finding
The example workflow normalizes pasting credentials directly into chat and promises future reuse, but it omits any warning that chat transcripts may be logged, retained, or accessible to operators and other tools. In practice, this trains users into unsafe secret-sharing behavior and increases the likelihood of credential leakage through conversation history and downstream persistence.

Ssd 3

High
Confidence
99% confidence
Finding
These instructions explicitly tell the assistant to solicit secrets from the user in chat and then persist them from user messages into local files for later reuse. That combines two high-risk behaviors—collecting credentials in a likely logged channel and storing them in a predictable filesystem path—creating durable exposure and making secret theft easier for malware, other local users, or compromised tools.

Ssd 3

High
Confidence
99% confidence
Finding
The example concretely demonstrates unsafe behavior by prompting for a Jira token in chat, showing a token literal, and confirming it will be stored for future reuse. Examples are powerful behavioral instructions for both users and agents, so this materially increases the chance of real-world secret exfiltration and insecure persistence.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal