ClawHub

Knowledge Base Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate knowledge-base skill, but it under-discloses networked indexing, query logging, exports, and record-changing actions that can affect internal company data.

Review before installing. Treat this as a high-trust internal-data skill: require corrected network declarations, explicit local-only versus cloud modes, narrow command prefixes, confirmation for delete/export/index operations, access-control enforcement, and logging retention/redaction controls. There is no artifact-backed evidence of intentional malware or hidden exfiltration, but the current package is too under-scoped for unattended use with sensitive company knowledge.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (24)

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The manifest declares `makes_requests: false`, but the documented behavior includes URL/API-driven ingestion from Notion, Confluence, Google Docs, YouTube, and use of external embedding/vector services. This mismatch can bypass operator expectations and security controls, leading users to grant the skill trust or permissions under false assumptions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The documented first-trigger phrases include very broad natural-language activators such as "база знаний", "FAQ", and "онбординг новый сотрудник", which are likely to appear in ordinary user conversation. In an agent skill, this can cause unintended invocation, making the skill act on unrelated discussion and increasing the chance of accidental retrieval, modification, or workflow execution.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The mode trigger table documents multiple overly generic commands such as `найди`, `FAQ`, `онбординг`, `обнови`, `удали`, `экспорт`, and `индексируй` without any scope or authorization constraints. These tokens are common words in business chat, so they can collide with normal requests and accidentally trigger sensitive operations like deletion, export, or indexing.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list contains very broad phrases such as common workplace terms and generic requests, increasing the chance of unintended activation. In a knowledge-base skill that can log queries, index documents, or modify records, accidental invocation can expose internal content paths or cause unintended data handling actions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs logging every search query and unanswered request for analytics and gap analysis, but there is no clear user-facing notice or consent flow. Search terms in an internal knowledge system can contain sensitive business, HR, customer, or security information, so silent retention creates privacy and insider-risk exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The indexing workflow describes sending document content to external APIs and vector databases, including embeddings and third-party connectors, without a prominent warning or consent boundary. This can result in confidential internal documents being transmitted off-platform unexpectedly, especially dangerous in a corporate knowledge-base context handling SOPs, HR materials, contracts, and technical docs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically unpacks the newly built archive and executes `bash test/smoke-test.sh` from its contents without any explicit warning, prompt, or opt-in. Because the archive contents are assembled from repository files, any malicious or unexpected change to `test/smoke-test.sh` would be executed during a normal build flow, turning packaging into code execution.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list contains broad natural-language phrases such as "Write a runbook for [X]" and "Review KB health" that plausibly overlap with normal user requests. In agent environments that auto-route by trigger matching, this can cause unintended invocation, context switching, or application of the skill in situations the user did not explicitly intend.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The example uses a very broad natural-language trigger ('добавь в базу FAQ') for creating a knowledge-base record, with no visible confirmation, authorization, or schema validation requirements. In an agent setting, this can cause ordinary conversational text to be misinterpreted as a state-changing command, enabling accidental or malicious insertion of unreviewed content into the knowledge base.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The second example is even less constrained: 'добавь в базу' is ambiguous about which database, record type, and trust boundary apply, yet the content includes sensitive operational metadata like access level and internal support procedures. This increases the risk that loosely phrased user input could create or modify internal records without proper scoping, approval, or destination checks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The SOP directs staff to contact leads via phone, messenger, and email and to place unresponsive leads into an automatic email sequence, but it contains no requirement to verify consent, lawful basis, opt-out handling, or privacy notice delivery. In a sales-processing workflow, this can lead to unauthorized outreach, privacy complaints, and noncompliance with applicable marketing and data protection rules.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example explicitly supports indexing a remote Google Docs URL but provides no warning, consent boundary, or restriction around fetching third-party content. In an agent setting, this can lead to unintended external data access, transfer of potentially sensitive document contents into downstream storage or embedding systems, and SSRF-like behavior if URL handling is generalized beyond trusted domains.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill examples use very generic export commands like "экспорт FAQ", "экспорт базы", and record-ID export without any visible confirmation, authorization gate, or scope restriction. In an agent setting, broad trigger phrases can be matched by ordinary user requests and cause unintended structured data export, which increases the risk of oversharing internal knowledge-base content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example explicitly demonstrates a full database export ("экспорт базы категория=all формат=json уровень-доступа=1") without any warning, approval workflow, or indication that sensitive/internal records must be filtered. Even though the sample mentions an access level, the skill context normalizes bulk export behavior and could lead operators or downstream agents to expose a much larger dataset than intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The example prompts include destructive operations such as deleting and archiving records without any indication that the agent should require confirmation, authorization checks, or safety guardrails. In a knowledge-base management skill, users often copy examples directly, so these patterns can normalize unsafe execution of state-changing actions and increase the chance of accidental or unauthorized data loss.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The onboarding/test commands are short, generic imperatives without any documented activation boundary, confirmation step, or namespace requirement. In an agent environment, this can cause unintended skill invocation from ordinary conversation, leading to unwanted retrieval or workflow execution.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Many triggers in this range use everyday phrases like statistics, taxonomy, indexing, and test creation requests that could naturally appear in normal discussion. Without clear scoping, the agent may misinterpret ordinary user text as executable commands and perform unintended KB operations.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The indexing/upload examples are especially risky because broad phrases tied to files and URLs can trigger ingestion of local or remote content. If activated accidentally or by prompt injection through user-supplied paths/URLs, this could import sensitive or untrusted data into the knowledge base.

Missing User Warnings

High
Confidence
98% confidence
Finding
Delete and archive operations are destructive, yet the examples provide no warning, preview, undo path, or confirmation requirement. In a live skill, accidental activation or ambiguous references could remove or hide important knowledge-base entries, causing integrity and availability issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Exporting FAQ and knowledge-base data into JSON, Markdown, YAML, or downstream systems can expose internal or sensitive content if done without privacy guidance and access controls. The examples normalize data movement to external destinations without warning about classification, minimization, or recipient trust.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Indexing local files and external URLs without warning encourages ingestion of potentially sensitive, copyrighted, or attacker-controlled material. This raises confidentiality risk from local documents and integrity risk from poisoning the KB with malicious or untrusted external content.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The listed activation phrases are very generic workplace terms such as "база знаний", "FAQ", and onboarding-related language, which are likely to appear in normal conversation. That creates a prompt/skill-invocation collision risk where the skill may activate unintentionally, causing unexpected behavior, disclosure of internal knowledge, or disruption of other workflows.

Ssd 3

Medium
Confidence
96% confidence
Finding
Mandated logging of every search and no-result query can capture sensitive free-form inputs such as employee names, credentials pasted by mistake, incident details, HR cases, or customer data. In an enterprise knowledge assistant, this creates a durable secondary repository of sensitive text that may be less protected than the source systems.

Ssd 3

Medium
Confidence
94% confidence
Finding
The declared persistent `search-log.csv` storage creates a straightforward leakage surface for sensitive user queries and inferred business intent. Flat-file logs are often broadly accessible, easy to copy, and rarely protected with the same controls as primary knowledge repositories.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal