ClawHub

Presidio Pii Scrubber for sensitive info

Security checks across malware telemetry and agentic risk

Overview

This skill is a real local PII scrubber, but it needs review because raw customer data can be sent to configurable endpoints and sensitive mapping files are not tightly confined.

Install only if you need local PII scrubbing and can control the runtime. Bind Presidio to localhost, verify PRESIDIO_ANALYZER_URL and PRESIDIO_ANONYMIZER_URL are not set to remote services, use simple session IDs such as timestamps or UUIDs without slashes, and periodically remove stale files under the Presidio mappings directory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions, yet its documented behavior clearly requires shell execution, Docker/network access to localhost, and file creation/deletion for PII mapping files. This mismatch is dangerous because reviewers or policy engines may under-trust the actual capability footprint, allowing a skill that handles sensitive customer data to operate without transparent authorization boundaries.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script intentionally writes a reversible mapping of pseudonym tokens back to original PII to disk, creating a sensitive datastore of names, emails, phones, and other identifiers. In a PII-scrubbing skill, this materially increases breach impact because compromise of the mapping directory fully defeats anonymization and may surprise operators if the skill is described primarily as 'scrubbing' data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends raw input text, which may contain PII, to analyzer and anonymizer endpoints over plain HTTP and allows those endpoints to be configured via environment variables. In the stated context of protecting customer data before it reaches models, this is dangerous because misconfiguration, remote endpoints, container networking exposure, or local interception could leak exactly the sensitive data the skill is supposed to protect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting a reversible mapping file without clear warning creates a hidden secondary repository of sensitive data. In a privacy-protection skill, this is especially risky because users may believe data has been safely scrubbed while the originals remain recoverable from disk, increasing the chance of accidental retention, backup exposure, or host compromise disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal