ClawHub

Export Reply

Security checks across malware telemetry and agentic risk

Overview

This is a local chat-export helper that writes chosen replies or conversations to files and remembers export settings, with no evidence of hidden data theft or destructive behavior.

Install only if you are comfortable letting the agent write chat content to local files and remember the last export destination. Check the path before confirming reuse, avoid exporting sensitive chats to shared or synced folders, and clear ~/.export_reply_prefs.json if you do not want saved settings. Use extra caution with PDF export because it may render content through a local browser.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (10)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
html_tmp = Path(tempfile.mktemp(suffix=".html"))
        try:
            write_html(content, html_tmp, title)
            result = subprocess.run(
                [
                    chrome,
                    "--headless", "--disable-gpu", "--no-sandbox",
Confidence
93% confidence
Finding
result = subprocess.run( [ chrome, "--headless", "--disable-gpu", "--no-sandbox", "--run-all-compositor-stages-b

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes local Python scripts, writes exported conversation data to files, reads/writes a preferences file, and directs the agent to run shell commands, yet it does not clearly declare or surface these capabilities as permissions. This creates a transparency and consent gap: users may trigger the skill with innocuous words like 'save' without realizing it can persist potentially sensitive conversation content and metadata to disk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill's purpose is local export, but the PDF path expands capability by probing for and launching an external browser process to render user-controlled content. In this context, that makes the agent more dangerous because exporting a conversation should not require executing another complex application against potentially adversarial text.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include very generic terms such as '保存 / 导出 / save / export', which can easily appear in normal conversation and unintentionally invoke the skill. Because the skill writes conversation content to local storage, accidental activation can lead to unintended data persistence or exfiltration to shared/local paths.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The usage section reinforces ambiguous activation by telling users to 'Just say 保存 / 导出 / save / export', increasing the chance that ordinary language will trigger export behavior. In this context, accidental invocation is more dangerous because the skill can export full conversations and remember prior destinations for future one-tap repeats.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The visible description emphasizes convenience and remembered settings but does not clearly warn that full conversation content may be written to local files and that preferences are persisted in a file under the user's home directory. This omission undermines informed consent and may cause users to expose sensitive prompts, secrets, or personal data unintentionally.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
Summary mode mandates bilingual Chinese+English output without separately confirming that translation or duplication is desired. While not code-execution dangerous, it can broaden data exposure by duplicating sensitive content in another language and may create compliance or privacy issues if the user expected a same-language-only summary.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill explicitly supports exporting the full conversation, including user messages, to local files and does so without any sensitivity screening, redaction, or confirmation tailored to risky content. If the conversation contains credentials, personal data, internal documents, or security-sensitive material, the skill can persist that data verbatim to disk or shared folders, increasing the chance of disclosure.

Ssd 3

Medium
Confidence
95% confidence
Finding
Raw mode instructs verbatim, role-labeled export of user and assistant content, which maximizes the risk of sensitive data being copied to disk exactly as originally provided. In a chat environment, this is especially risky because users often paste secrets, personal information, or proprietary text into conversations without expecting durable local storage.

Hidden Instructions

High
Category
Prompt Injection
Content
```

---
<!-- Agent instructions below. Not rendered on ClawHub. -->

## Interaction Flow (MUST follow exactly)
Confidence
92% confidence
Finding
<!-- Agent instructions below. Not rendered on ClawHub. -->

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal