ClawHub

Disk Space Analyzer

Security checks across malware telemetry and agentic risk

Overview

This skill is a local disk-usage reporter whose broad drive scan is disclosed and purpose-aligned, but its generated reports can expose local folder paths and the computer name.

Install only if you want a broad local disk-usage survey. Review the generated JSON/HTML before sharing it because it can reveal folder names, software layout, cache locations, drive structure, and hostname. Approve any cleanup or deletion separately after checking the listed paths.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill instructs the agent to run a scanner over all disk drives and write JSON/HTML output files, which are meaningful code and file-write capabilities, yet no permissions are declared. That creates a transparency and consent problem: users and the host platform may not realize the skill can enumerate filesystem contents and persist detailed reports about the machine.

Context-Inappropriate Capability

Low
Confidence
89% confidence
Finding
The report includes the machine hostname, which is not necessary for calculating disk usage and increases collection of host-identifying metadata. In environments where reports are uploaded, shared, or logged centrally, this unnecessarily exposes asset identity and can aid system enumeration.

Vague Triggers

Medium
Confidence
75% confidence
Finding
The trigger list contains broad phrases such as general disk-space help requests that can easily match normal conversation, increasing the chance the skill activates unexpectedly. Because this skill scans all drives and generates a detailed filesystem report, accidental invocation exposes significantly more sensitive local information than a narrow utility would.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description markets the skill as a disk analysis tool but does not clearly warn that it scans all drives and produces a detailed report of directory contents, including top directories, deep traces, cache locations, and Windows component breakdowns. This weak disclosure is dangerous because filesystem structure and software/layout details can reveal sensitive personal or enterprise information even if file contents are not read.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal