ClawHub

中文AI知识管理

Security checks across malware telemetry and agentic risk

Overview

This is a coherent knowledge-management skill with local writes and optional AI API use, but users should treat AI extraction and semantic deduplication as sending selected content to configured providers.

Install only if you are comfortable with a tool that reads local logs/backups and writes a persistent knowledge base. Use basic sync for local-only operation; before using --semantic or extract, assume the relevant text may be sent to your configured AI provider, redact secrets, and review drafts before importing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README advertises semantic deduplication and LLM-based conversation extraction using external providers, but it does not clearly warn that logs, conversation dumps, or other knowledge-base inputs may be sent to third-party APIs. This creates a real data exposure risk because users may process sensitive internal content under the assumption that the tool remains local unless they infer otherwise from provider configuration examples.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Using the generic trigger phrase "知识库" can cause the skill to activate in unrelated conversations about knowledge bases, increasing the chance of unintended file-processing or sync actions. In an agent setting, overly broad activation can lead to surprise execution of commands that touch local logs, memory files, or external APIs when the user did not clearly request this skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The condition "用户要求从对话中提取知识" is ambiguous because many conversational requests could be interpreted as permission to persist or restructure chat content. Without explicit consent boundaries, the agent may extract sensitive information from conversation history into drafts or a knowledge base, creating privacy and data-governance risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends full conversation dump content to a configurable external LLM endpoint, but there is no explicit user-facing consent, warning, redaction step, or trust boundary check before transmission. Because session-memory dumps can contain sensitive business context, personal data, credentials, or operational details, this creates a real data exfiltration/privacy risk rather than a purely theoretical concern.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code sends entry title/body text to a third-party embedding endpoint, which can expose potentially sensitive knowledge-base content to an external service. In a knowledge-management skill, entries may contain private notes, credentials, business data, or personal information, so undisclosed outbound transfer increases confidentiality and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes to whatever path is returned by classifyFn(entry, config) and will create parent directories and append content without validating that the destination stays within an approved kb directory. In a skill that processes draft content and classification results, this creates a path traversal / arbitrary file write risk if an attacker can influence the target path through entry data or configuration, potentially overwriting or planting files outside the intended workspace.

Ssd 3

Medium
Confidence
94% confidence
Finding
The prompt explicitly asks the model to distill conversation content into persistent knowledge entries, and the implementation later transmits raw session dumps to an external LLM. This creates a genuine leakage path where sensitive user statements, internal decisions, role mappings, and business rules can be retained, transformed, and written into durable artifacts, increasing both exposure and persistence of confidential data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal