ClawHub

上下文缓存管理器

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-aligned but needs review because it persists sensitive conversation context locally and reloads it with unsafe pickle deserialization.

Review before installing. Only use this skill on a machine and account where local prompt and conversation snapshots are acceptable, and avoid using it around secrets or sensitive work until it replaces pickle with a safe format and documents cache controls, permissions, retention, and cleanup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly requests file read/write access for a cache directory and describes persisting system prompts, rendered prompts, message history, and content replacement state to disk using pickle+gzip, but it does not clearly warn users that potentially sensitive conversation context will be stored locally. This creates a real privacy and security risk because secrets, internal prompts, or user data may be written to disk, linger for up to 24 hours, and be exposed through local access, backups, logs, or later compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code persists full conversation context, including system prompts, message history, and content replacement state, to disk under the user's home directory without any consent flow, visibility, or protections such as encryption or restrictive permissions. In an agent context, these snapshots may contain sensitive prompts, secrets, personal data, or internal workflow state, so silent persistence increases the risk of unintended disclosure to other local users, backup systems, or later compromise of the host.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The loader deserializes cache files with pickle, which is unsafe for untrusted or tampered data because pickle can execute arbitrary code during loading. Since the cache path is derived from session IDs and files are read from a user-writable directory, any attacker who can place or modify a matching .pkl.gz file in that location could potentially achieve code execution when restore or fork operations load the snapshot.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal