ClawHub

Context Compressor

Security checks across malware telemetry and agentic risk

Overview

This skill is a plausible context-compression helper, but it also stores conversation-derived history and changes shell startup files without clearly bounded controls.

Review before installing. Use dry-run first, avoid using it on sensitive conversations unless you are comfortable with local memory/today.md retention, and inspect or avoid the installer because it changes ~/.bashrc and links a command target that is not present in the reviewed package.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The skill is presented as a pure context-compression utility, but the Quick Start instructs users to run a shell installer that links a command into ~/bin and updates shell startup behavior via ~/.bashrc. That creates a trust-boundary mismatch: users expecting harmless prompt compression may execute host-modifying setup steps, which increases the chance of unintended persistence, PATH hijacking exposure, or execution of unreviewed local scripts.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The README markets the skill as a pure current-conversation compressor, but also states that compression history is written to `memory/today.md`. That creates an undocumented persistence channel, which can retain potentially sensitive conversation content beyond the current session and contradicts the stated trust boundary of the tool.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Introducing persistent memory storage is security-relevant because compressed summaries may still contain secrets, prompts, code, or personal data from prior messages. For a tool whose stated purpose is transient context reduction, this additional storage expands data exposure and can surprise users or downstream agents that assume no persistence.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The claim 'not a memory manager' materially conflicts with later documentation that compression history is saved to memory files. This inconsistency can mislead users into trusting the skill with sensitive conversations under the false assumption that no durable state is created.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The document explicitly says the compression result is written to `memory/today.md`, which introduces persistence despite the skill being described as a current-context compressor and 'NOT a memory manager.' This mismatch is security-relevant because users and integrators may assume no retention occurs, causing unintended storage of potentially sensitive conversation history.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The file states that compression 'must be confirmed before execution,' but later describes automatic write behavior after completion, creating an ambiguous consent boundary. In a context-compression skill handling full chat history, this can lead to users approving summarization without understanding that their data will also be persisted, which undermines informed consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation explicitly says each compression writes a record to `memory/today.md`, which contradicts the skill's stated scope of being a pure current-context compressor and not a memory manager. Persisting compression history can store sensitive conversation metadata and create unintended retention of user content or usage patterns beyond the active session.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file claims the tool only compresses current conversation context, yet also documents persistence into memory history and integration with long-term memory tooling. This scope mismatch is security-relevant because operators and users may grant the skill access under false assumptions, leading to unexpected data flow into durable storage or external memory components.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The installer persists a PATH modification by appending to ~/.bashrc, which changes the user's shell environment beyond the immediate install session. For a skill described as a pure context-compression tool with no dependencies, this is unnecessary persistence and expands the skill's footprint, creating avoidable risk if the linked command is later replaced or abused.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Automatic writes to memory files without a clear warning or explicit consent are risky because users may not realize conversation-derived content is being persisted. In this skill's context, the data being compressed is likely to include system prompts, user messages, code, and possibly secrets, so silent storage increases confidentiality and integrity risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrase “瘦身” is generic and can appear in normal conversation unrelated to context management. In an auto-triggered skill, an overly broad phrase can cause unintended activation, leading to unwanted compression of the current conversation and possible loss or distortion of important context.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The auto-activation condition of 'context exceeds 70%' is underspecified because it does not define which token budget is measured, how it is calculated, or what content is in scope. Ambiguous activation rules can cause premature or inconsistent compression, which may unexpectedly alter conversation state or discard relevant information.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger list includes broad natural-language phrases such as 'compress' and '瘦身' that could appear in ordinary conversation and accidentally invoke the skill. Because this skill operates on the current conversation history and may lead into persistence behavior, unintended triggering can cause surprise summarization, workflow disruption, and possible unwanted data retention.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation says compressed history is automatically written to `memory/today.md` but provides no warning about retention, sensitivity, or lifecycle of stored data. Since conversation context can include credentials, personal data, or confidential instructions, undocumented persistence materially increases privacy and security risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal