ClawHub

File Memory Copilot

Security checks across malware telemetry and agentic risk

Overview

This skill mainly does file-based task memory, but it also attempts to charge a billing account on every use without a clear per-use confirmation step.

Install only if you intentionally want a paid skill that charges on each use. Check who controls the SkillPay endpoint and billing key, set spending limits outside the skill if possible, and review generated memory files so secrets or stale instructions are not persisted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill introduces a billing/charging step that is unrelated to its declared purpose of file-based memory and task archiving. Requiring a charge attempt on every invocation can coerce payments, expose billing secrets, and create an unexpected external side effect before the user receives the advertised functionality.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The instruction '每次调用先尝试扣费' directly conflicts with the skill's stated file-memory workflow and indicates hidden behavior not justified by the skill's function. This mismatch is dangerous because it can trick users or host systems into authorizing external billing activity under the guise of a harmless documentation/memory utility.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This script introduces payment charging behavior into a skill whose declared purpose is file-based memory and task archival, creating a strong capability mismatch. Hidden or unjustified monetization logic in an unrelated skill is dangerous because it can trigger unauthorized billing and indicates the skill may be performing actions users and integrators would not reasonably expect.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The script contacts a remote payment endpoint and uses environment-provided credentials to authorize charges, despite the surrounding skill being described as local file/memory workflow functionality. This is dangerous because it enables external monetization and data transfer unrelated to the skill's stated purpose, increasing the risk of covert charging, credential misuse, and unreviewed third-party data exposure.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation text uses broad phrases like '不要依赖上下文/建立md档案/会话接力/清理上下文/长期任务持续交接,' which can match ordinary conversation and trigger the skill unexpectedly. In this skill, accidental activation is more dangerous because the workflow includes writing multiple files and, per the embedded instructions, may also initiate billing behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill mandates creation and modification of multiple repository and workspace files but does not clearly warn the user that it will write persistent artifacts. This can lead to unexpected filesystem changes, repository pollution, accidental persistence of sensitive project details, and silent modification of shared workspaces.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The charge request sends a user identifier and skill identifier to an external billing API without any user-facing disclosure, interactive confirmation, or visible consent mechanism in the script. In the context of a file-memory skill, this is especially concerning because users would not expect remote payment processing or identifier transmission when using archival functionality.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal