ClawHub

Value Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local value-tracking skill that stores and reports user-entered task history, with no evidence of hidden execution, exfiltration, or privileged behavior.

Before first use, clear or review the bundled data.json if you want reports to reflect only your own work. Avoid logging secrets or highly sensitive business details, because task descriptions and notes persist locally and may be included in markdown reports or JSON exports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The report function prints a markdown report containing task descriptions and timestamps-derived activity summaries, and the export function can emit individual entries as JSON. Although the file performs user-visible printing, there is no disclosure in the code comments/docstrings or CLI help that these outputs may expose potentially sensitive work descriptions when redirected, shared, or pasted elsewhere.

Session Persistence

Medium
Category
Rogue Agent
Content
return {"entries": []}

def save_data(data):
    """Save data to file."""
    with open(DATA_FILE, 'w') as f:
        json.dump(data, f, indent=2)
Confidence
60% confidence
Finding
Save data to file

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal