ClawHub

SF Civic Digest

Security checks across malware telemetry and agentic risk

Overview

This is a civic-data digest skill, but it automatically stores local archives of sensitive public records and political activity with limited user controls.

Install only if you are comfortable with a broad SF civic monitoring tool that fetches public data from many official and media sources and stores local JSON archives. Before using it regularly, review USER.md, avoid tracking private individuals, and periodically delete archive/state files if you do not want local historical records of evictions, 311 cases, lobbying, journalism, or protest events retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README advertises substantially broader coverage than the manifest metadata, including additional government bodies, data layers, and journalism/community sources. This creates a trust and scope mismatch: an agent or user may rely on the manifest to understand what external content is accessed, while the skill documentation suggests the skill may ingest a much wider set of sources and topics than declared.

Context-Inappropriate Capability

Low
Confidence
76% confidence
Finding
The README claims journalism monitoring even though the manifest frames the skill as civic-government tracking. While not inherently malicious, this broadens the effective input surface to opinionated third-party media, which can introduce bias, weaker provenance, and unexpected content handling beyond the user’s reasonable expectations for a government-data skill.

Context-Inappropriate Capability

Medium
Confidence
77% confidence
Finding
The script stores a reusable local archive containing addresses, neighborhood, district, status, and latitude/longitude for 311 cases. Even though the upstream data is public, creating a persistent, normalized local dataset increases privacy and misuse risk, especially because this behavior is not clearly justified by the skill's digest function and is performed automatically without controls.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script’s functionality does not match the declared skill scope: it targets BART Board meetings, which are regional transit governance rather than the San Francisco city-government bodies and sources described in the manifest. This kind of scope drift is dangerous because an agent or user relying on the manifest could invoke the skill under false assumptions, causing silent collection and presentation of unintended data and undermining policy, routing, and trust boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The implementation materially diverges from the declared skill purpose: instead of tracking San Francisco government meetings and notices, it collects protest, rally, and organizing event data from Mobilize and Indybay. That scope mismatch is dangerous because users and platform reviewers may grant the skill trust and permissions based on the manifest, while the code performs politically sensitive monitoring outside the stated purpose.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code builds capability to enumerate protests, rallies, canvasses, and related organizing infrastructure, which is unrelated to a city-government digest and can expose sensitive political activity. In this skill context, that makes the behavior more dangerous because it hides surveillance-like or targeting-enabling functionality behind a benign civic-information description.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The script persists fetched civic-action events to a local archive even though the manifest describes a fetch/read digest workflow, not durable storage. Retaining historical protest and organizing event data increases privacy and misuse risk because it creates an accumulating dataset that can later be repurposed for profiling, monitoring, or correlation.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script expands the skill’s data collection beyond the manifest-described SF civic sources by ingesting SF Ethics Commission notices and lobbyist activity. That creates a scope mismatch: users and reviewers may expect a neighborhood civic digest, but the skill also processes politically sensitive ethics and lobbying data, increasing privacy, compliance, and trust risks through undisclosed functionality.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code collects and archives lobbyist contact and campaign contribution records, which are materially more sensitive than ordinary meeting agendas or neighborhood notices. Persisting this data creates a monitoring capability not clearly aligned with the stated civic-digest purpose, enabling undisclosed profiling or accumulation of political-activity records over time.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This script expands the skill into eviction-notice monitoring, which is outside the manifest’s described civic sources and significantly more privacy-sensitive than generic agendas, hearings, or legislation digests. Scope expansion matters because it introduces handling of housing-displacement data and address-level records that users and reviewers would not reasonably expect from the declared skill behavior.

Description-Behavior Mismatch

Low
Confidence
86% confidence
Finding
The manifest describes fetch/filter/digest behavior, but this code also creates a persistent local archive file. Even if the data is public, undisclosed retention is a capability increase because it changes the skill from transient summarization to ongoing local storage of sensitive civic/housing records.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The archive stores eviction IDs, addresses, neighborhoods, filing dates, district, constraints, and derived reasons, creating a local historical dataset of housing-distress events. This exceeds what is needed for a simple digest and increases privacy and misuse risk, especially because address-level eviction data can be repurposed for profiling, targeting, or sensitive inference about tenants and properties.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file behavior materially diverges from the skill manifest: it monitors a third-party news outlet rather than the declared SF government and civic-data sources. This kind of scope mismatch is dangerous because users and downstream agents may trust the skill to provide authoritative government-activity tracking, but instead receive filtered journalism content with different coverage, timeliness, and editorial framing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code explicitly fetches from missionlocal.org and applies topic filtering, which broadens the skill from government-source tracking into journalism aggregation. In this skill context, that is more dangerous because the skill is presented as an SF civic/government tracker, so hidden inclusion of media sources can mislead users, contaminate summaries with non-authoritative content, and bypass expected provenance boundaries.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to adopt a specific political/editorial lens ('pro-building, pro-tech, car-free') regardless of user preference. That creates an integrity and trust problem: outputs may be systematically biased or manipulative while appearing to be neutral civic reporting, especially in a public-policy context where framing can influence user decisions and advocacy.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The template explicitly asks for 'People to flag,' which encourages collection and processing of identifiable individuals in a monitoring workflow without any stated purpose limitation, consent model, or safeguards. In a civic-tracking skill, this can enable targeted profiling, politically sensitive watchlists, or unfair attention toward private persons, especially when combined with neighborhood, address, and hearing data.

Missing User Warnings

Low
Confidence
83% confidence
Finding
The code automatically persists location-linked 311 records to disk without warning or consent, which is a privacy and transparency issue. In the context of a civic digest skill, silent local retention is more dangerous because users would reasonably expect fetched public data to be summarized, not archived for later reuse.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script unconditionally writes all fetched events into a local archive without any user-facing warning, consent, or opt-in. In the context of protest and organizing data, silent persistence is more sensitive than ordinary caching because users may reasonably expect a digest tool to only fetch and summarize public data transiently.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script writes sensitive address-level eviction information to disk without any explicit user notice, consent, or operator-facing warning about retention. Silent persistence of housing-related records raises privacy and governance concerns even when sourced from public data, because users may expect an ephemeral digest rather than creation of a durable local dossier.

Missing User Warnings

Medium
Confidence
67% confidence
Finding
The script writes scraped results to a persistent local archive automatically, without explicit user notice, consent, or a runtime switch to disable storage. Even though the data is public civic information, silent persistence expands the skill's behavior beyond a read-only fetch and can surprise users or operators, especially in shared environments where local artifacts may be inspected later.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal