ClawHub

Clawtext Ingest

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a disclosed multi-source ingestion tool for agent memory, but users should handle Discord tokens, exported chat data, URLs, and stored memories carefully.

Install only if you intend to build a persistent agent memory from selected sources. Use a least-privilege Discord bot token, avoid passing secrets in command history, ingest only channels/files/URLs you are authorized to store, review or redact sensitive content before persistence, and protect or delete exported JSON and memory directories when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (27)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is presented as an ingestion utility, but `rebuildClusters()` deletes every file in the `memoryDir/clusters` directory. This is a destructive capability outside the core ingestion function, and there is no confirmation, allowlist, or safety check before unlinking files. In an agent setting, that creates avoidable risk of data loss if the method is invoked accidentally or by a prompt-influenced workflow.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide encourages autonomous Discord ingestion, optional disk export, and broad content collection using a bot token, but it does not warn about privacy, consent, retention, or sensitive-data handling. In an agent skill specifically designed for memory ingestion, this omission increases the chance that private conversations, attachments, or regulated data will be collected and persisted without appropriate safeguards.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The troubleshooting section recommends deleting .ingest_hashes.json to reset deduplication state without warning that this is destructive and can cause mass re-imports, duplicate memory entries, corrupted operational assumptions, or unexpected downstream processing. In a recurring ingestion system, this can amplify storage growth and reprocess previously ingested sensitive content.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The API is explicitly designed to ingest Discord content, including authors, mentions, links, attachments, and optional file output, yet the documentation omits privacy and data-handling warnings. In an agent skill context, this increases the risk of over-collection, unauthorized retention, or accidental disclosure of sensitive chat content to disk or downstream memory systems.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide encourages ingesting local files, chat exports, and other data sources into agent memory without any caution about privacy, secrets, or downstream exposure. In an agent-memory context, this is dangerous because users may import credentials, internal documents, or private conversations that can later be surfaced to prompts, tools, logs, or other workflows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The URL ingestion section documents fetching arbitrary external URLs without warning that requests disclose client metadata to remote servers and that fetched content is being imported into persistent memory. In this skill's context, that can expose browsing intent, pull in hostile or poisoned content, and cause sensitive or untrusted external data to become part of agent retrieval.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The troubleshooting advice tells users to delete the deduplication state file without warning that this can trigger broad re-imports and duplicate memory entries. In a memory-ingestion system, that can corrupt retrieval quality, inflate storage, and make later cleanup difficult or effectively irreversible.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly promotes fetching Discord forum content and saving results to JSON, but it does not warn users that this may collect, retain, and redistribute potentially sensitive message content from Discord. In a memory-ingestion skill, this omission is security-relevant because users may ingest private conversations, attachments, or personal data into downstream storage and agent contexts without understanding the privacy and data-handling implications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document promotes autonomous recurring ingestion and Discord monitoring patterns without any accompanying warning about privacy, consent, retention, or unintended bulk collection of user data. In an agent skill focused on multi-source memory ingestion, this omission increases the chance that operators deploy continuous collection against Discord content without understanding legal, policy, or data-minimization implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The testing instructions show use of a live Discord token in an environment variable without any warning about secret handling, least privilege, or avoiding exposure in logs, shell history, and screenshots. Because this skill directly supports Discord ingestion, encouraging token-based testing without credential hygiene guidance can lead to accidental secret leakage and unauthorized access to Discord resources.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The document includes examples that pass a Discord token via an environment variable in command lines, but it does not warn about secret handling, shell history, process exposure, or logging risks. In an agent-oriented guide, this is more dangerous because users may copy these patterns into automation where credentials can be leaked to logs, subprocess listings, or shared environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The summary explicitly describes autonomous Discord ingestion and intermediate result saving to disk, but it does not warn users that forum content may contain private, sensitive, or regulated information that will be copied into local storage and downstream memory systems. In an agent-ingestion context, this omission increases the chance of unintentional collection, retention, and exposure of third-party communications, especially when operators treat the feature as routine infrastructure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide explicitly encourages saving Discord ingestion output to JSON but does not warn that the file may contain sensitive message content, attachment links, metadata, and relationship mappings. In an agent-ingestion context, users may run this on private forums or internal channels, so writing unprotected exports to disk increases the risk of local disclosure, accidental commits, backup exposure, or reuse by other tools.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The documentation shows passing a Discord bot token via --token and inline environment assignment without warning that command-line arguments can be exposed via shell history, process listings, logs, or screenshots. Because this CLI targets Discord data ingestion, compromise of the bot token could grant ongoing access to private channels and forums available to that bot.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quickstart instructs users to place a live Discord bot token directly into an environment variable example without any credential-handling warning, guidance on scoping, or advice against shell history leakage and accidental logging. In a skill meant for agent-driven ingestion of Discord data, this increases the chance that users expose a privileged bot token through copied commands, terminal history, screenshots, or downstream tooling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The quick reference instructs users to run live Discord ingestion commands with a bot token and forum ID, but it omits any warning that forum messages and metadata will be retrieved, processed, and potentially exported into downstream memory stores. In a data-ingestion skill, this increases the risk of accidental collection of sensitive or personal Discord content without informed consent, review, or scoping.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README promotes ingesting Discord content, files, URLs, and agent-driven memory injection, but does not warn users that these sources may contain sensitive, private, or regulated data that will be persisted into a memory store and later surfaced automatically to models. In a RAG/agent context, omission of privacy and data-handling guidance increases the chance of unintentional data exposure, over-collection, and inappropriate reuse of confidential content.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Discord examples show inline use of DISCORD_TOKEN and routine ingestion of forum content without cautioning users to protect tokens or treat ingested messages as sensitive records. This can normalize unsafe operational practices such as exposing tokens in shell history/logs and storing private Discord data in persistent memory that may later be retrieved by agents or models.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to run live integration tests with a Discord token but does not warn about secure token handling, least-privilege bot configuration, or the fact that test execution will access live Discord data. In an agent-oriented ingestion skill, this omission increases the chance that users expose credentials in shells, logs, CI pipelines, or unintentionally ingest sensitive server content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start examples show direct use of a Discord token and live forum fetching without any privacy, authorization, or data-sensitivity warning. Because this skill is explicitly designed for autonomous ingestion, users may copy these examples into agents or scripts that pull private Discord content without adequate consent controls, scope restriction, or protection against token leakage.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The documentation instructs users to ingest Discord content using a bot token and to fetch arbitrary URLs, but it does not warn about privacy, consent, secret handling, or ingestion of sensitive third-party data. In this context, the skill is specifically designed to collect and persist external content into agent memory, so missing warnings materially increase the chance of over-collection, token mishandling, and retention of confidential information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The manifest advertises autonomous multi-source ingestion and agent-ready workflows but does not define clear trigger boundaries, approval requirements, or scope restrictions. In an agent ecosystem, this can lead to over-broad collection or execution of ingestion actions against unintended sources, especially when the skill is described as autonomous and production-ready.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly ingests Discord content, files, URLs, JSON, and raw text into agent memory and RAG systems, yet the manifest provides no visible privacy, consent, retention, or sensitive-data warnings. This is dangerous because users or autonomous agents may import private conversations, credentials, proprietary documents, or personal data into durable memory stores without understanding the disclosure and persistence risks.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The runner can persist raw intermediate Discord forum data to an arbitrary output path, and that data may contain sensitive message content, metadata, user identifiers, or relationship mappings. In an ingestion skill whose purpose is to collect and process external communications, silent disk persistence increases the chance of unintended data retention, exposure through backups/shared workspaces, or later access by other local users/processes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
`fromUrls()` performs arbitrary network fetches and persists the returned content directly into memory files without any disclosure, validation, or restriction on target URLs. In an agent environment, this can be abused for unintended outbound requests, ingestion of malicious or sensitive content, and silent persistence of untrusted data that may later influence downstream behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal