ClawHub

Obsidian Brain

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Obsidian memory helper, but it forces durable memory reads and writes and shows recalled memory without clear user approval.

Install only if you intentionally want the agent to maintain durable Obsidian-backed memory across sessions. Before using it, restrict the memory folder, review saved notes, require confirmation before writes, avoid storing secrets or personal data, and do not allow any ClawHub publish action unless you explicitly request it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation condition is extremely broad and can trigger on ordinary user requests involving files, knowledge lookup, or memory-like operations. In this skill, broad triggering is dangerous because it automatically routes many conversations into a persistence workflow that reads and writes cross-session memory without a clear user opt-in boundary.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs the agent to write conversation-derived memory fragments to disk as part of normal operation, but provides no requirement to notify the user or obtain consent for persistent storage. This creates a privacy and compliance risk because users may reveal sensitive data in a session without realizing it will be retained across sessions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill makes end-of-task writeback mandatory and says it is '不可跳过', which means persistence happens by default regardless of sensitivity or user expectation. Because the writeback is triggered at task completion, users may unknowingly cause storage of confidential prompts, conclusions, or operational details that persist beyond the current interaction.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill establishes a cross-session retention channel by extracting facts from conversations and storing them as reusable memory fragments, then reloading them into future contexts. That design can preserve and later expose sensitive user data, internal decisions, credentials, business context, or other private facts in natural-language form, even if no structured database is involved.

Ssd 3

Medium
Confidence
97% confidence
Finding
The required response format forces the agent to disclose which memory fragments were loaded and their summaries at the start of every reply. This creates a direct disclosure path where previously stored information may be surfaced to the current user or chat context, even when that information is only tangentially related or belongs to a different project or sensitivity level.

Ssd 3

Medium
Confidence
96% confidence
Finding
The writeback workflow instructs the LLM to extract 'key facts' from results and store them whenever they may be useful later, but it does not define sensitivity boundaries or prohibited categories beyond formatting rules. In practice, this broad extraction policy can capture confidential findings, personal data, proprietary decisions, incident details, or security-relevant information and make them persistently retrievable in future sessions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal