ClawHub

security-sweep

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate security scanner, but its optional Notion workflow can send discovered secrets to a third-party store with limited runtime confirmation.

Install only if you want a shell-based local security scanner and are comfortable reviewing the scripts. Use normal scans without `--encrypt-found` by default. Do not enable Notion export unless you trust the separate `notion-secrets.js` helper, the Notion workspace, and the handling of `NOTION_MASTER_PASSWORD`; treat exported findings as sensitive retained security data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill clearly instructs the agent to execute multiple shell scripts (`full-scan.sh`, `quick-scan.sh`, `skill-scan.sh`, `npm-audit.sh`) but does not declare any corresponding permissions. Hidden or undeclared shell capability is dangerous because it prevents informed consent and weakens policy enforcement around command execution, even if the stated purpose is security scanning.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README presents the skill as a security scanner, but it also advertises an optional capability to send discovered secrets to an external Notion-backed store. That expands the trust boundary from local analysis to secret handling and external persistence, which is risky for a scanning tool because users may not expect sensitive findings to leave the local environment.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Auto-encrypting found secrets to Notion introduces external storage and likely network egress that is not necessary for the core function of scanning. Even if encrypted, exporting discovered credentials increases exposure, creates a dependency on external infrastructure, and may violate the expectation that a scanner only inspects and reports.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The README states the scan is read-only, but elsewhere says secrets may be removed when auto-encryption is enabled. This contradiction is dangerous because users may run the tool believing it cannot modify files, when in fact it can alter the scanned codebase and potentially destroy or change evidence during a security review.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The documentation expands the skill from passive security scanning into a secret-management workflow that stores discovered secrets in a third-party cloud service. That broadens the trust boundary and creates a meaningful risk of unintended retention, disclosure, or policy violations, especially because users may not expect a scanner to facilitate secret storage outside the local environment.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Documenting upload of encrypted secrets to Notion introduces a network egress path for highly sensitive data found during scans. Even if encrypted client-side, this is still exfiltration to a third-party service and may violate least-privilege expectations, compliance requirements, or incident-handling procedures if users assume scan findings remain local.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script includes a capability to send discovered secrets to an external Notion helper via `node "$notion_script" put ...`, which is a form of secret exfiltration outside the stated scanning/reporting function. Even though it is gated by `--encrypt-found` and an environment variable, a security scanner handling discovered credentials should not transmit them off-host without explicit, strong consent and clear data-handling guarantees.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Uploading found secrets is context-inappropriate for a security scanning skill because the tool is expected to detect and report sensitive material, not move it elsewhere. In this context, even an 'encrypted' storage claim increases risk: discovered credentials are concentrated in another system, broadening exposure and violating least surprise for users running a scan.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
The function name/comment imply encryption to Notion, but this script does not perform encryption itself; it simply pipes the secret to an external helper and trusts a success string. That mismatch is security-relevant because operators may believe sensitive data is safely encrypted when the actual protection depends entirely on another script whose behavior and integrity are not verified here.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The instructions emphasize encryption strength but do not clearly warn that encrypted secret material is being uploaded to Notion, a third-party cloud platform. Users may incorrectly equate encryption with zero privacy risk and miss governance concerns such as metadata exposure, account compromise, service access, retention, and organizational policy restrictions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
At the point secrets are transmitted, the script provides no strong runtime warning or confirmation that discovered secrets are being sent to an external helper. Because this is a security scanner, users are especially likely to assume results remain local, so silent or lightly signaled transmission materially increases the chance of unintended disclosure.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal