ClawHub

snlib-cli

Security checks across malware telemetry and agentic risk

Overview

This appears to be a coherent Seongnam Library CLI wrapper, but users should handle credentials carefully and review request-submission commands before running them.

Install only if you trust the upstream snlib-cli package and are comfortable using your Seongnam Library account with it. Avoid pasting real passwords or personal details into shared terminals, logs, or chat transcripts, and manually review any interloan-request or hope-book-request command because it can submit a real request on your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The document advertises write-capable operations such as interlibrary-loan and hope-book requests without an explicit confirmation, authorization, or caution step before submission. In an agent skill context, this increases the chance of unintended real-world actions against a user's library account, especially if an automated system invokes commands directly from user intent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to pass account credentials through environment variables but does not warn about exposure risks such as shell history, inherited process environments, logs, or accidental disclosure to other tools. Because the skill is designed for authenticated access to a personal library account, mishandling these credentials could enable account compromise or privacy leakage.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes examples for passing credentials via environment variables and submitting personally identifiable information such as email and phone number in command examples, but it provides no warning about shell history, process exposure, logging, or safe handling of sensitive data. In a CLI skill specifically designed for authenticated library-account actions, this omission increases the chance that users or agents will expose secrets or personal data through transcripts, terminal history, screenshots, or automation logs.

Session Persistence

Medium
Category
Rogue Agent
Content
## Safety Rules

- Start with read-only commands before any write action.
- In skills, pass credentials via `SNLIB_USER` and `SNLIB_PASSWORD` environment variables.
- Session data is stored under `~/.config/snlib-cli/`.
Confidence
89% confidence
Finding
write action. - In skills, pass credentials via `SNLIB_USER` and `SNLIB_PASSWORD` environment variables. - Session data is stored under `~/.config

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal