ClawHub

Ghost Mode

Security checks across malware telemetry and agentic risk

Overview

This appears to be a privacy/ghost-session skill, but it can delete or alter session and memory data with unclear activation and safety boundaries.

Review before installing. The skill may be useful if you explicitly want private or non-persistent sessions, but it appears to have authority to alter or delete session and memory files. Only use it if you are comfortable with that behavior, keep backups of important sessions, and prefer an updated version that requires explicit opt-in and offers dry-run or confirmation before deletion.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The safety docstring says OPENCLAW_HOME and OPENCLAW_WORKSPACE must not be the user's home directory root, but the implementation only checks that resolved paths start with 'home/'. As a result, values like '/home/user/..../user' resolving to the home root or equivalent edge cases are not explicitly rejected, weakening the intended trust boundary and potentially allowing the registry and flag logic to operate across the entire home directory tree.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The function comment says it will remove an entire related block from MEMORY.md, but the implementation only skips the individual line containing a matching session ID or timestamp. In a memory-scrubbing tool, this mismatch can leave associated lines behind, causing incomplete deletion of ghost-session content and undermining privacy or data-removal guarantees.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase 'wants a conversation that leaves no persistent trace' delegates activation to subjective intent inference rather than an unambiguous command. That can lead the agent to autonomously enable a mode that suppresses records and later performs deletion, which is risky for auditability, user consent, and data retention expectations.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The phrase 'wants a conversation that leaves no persistent trace' delegates activation to subjective intent inference rather than an unambiguous command. That can lead the agent to autonomously enable a mode that suppresses records and later performs deletion, which is risky for auditability, user consent, and data retention expectations.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script deletes original session files automatically after copying them, with no confirmation, dry-run, integrity verification, or rollback if later steps fail. In a session-management skill, this increases the risk of accidental data loss or destructive archival of the wrong sessions, especially given the nearby active/completed mismatch that could broaden the set of affected files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal