ClawHub

统一知识库(#kb)

Security checks across malware telemetry and agentic risk

Overview

This knowledge-base skill is mostly aligned with its stated purpose, but it handles browser cookies and uploads arbitrary file contents to external storage with weak scoping and safety guidance.

Install only if you intend #kb content to be uploaded to IMA and retained locally. Do not submit secrets, private keys, customer data, or sensitive documents unless you have confirmed the target IMA knowledge-base ID, credential file, local storage paths, and deletion process. Avoid exporting browser cookies unless you understand the account risk, use a low-risk account, restrict file permissions, and remove the cookie file after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill description does not clearly warn that submitted content will be replicated into multiple persistent stores, including an external IMA service, local workspace files, and memory logs. This creates a privacy and data-governance risk because users may submit sensitive text, links, or file paths without realizing the content will be copied broadly and retained.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill instructs users to export browser cookies and place them in a fixed path without any safety guidance. Browser cookies are sensitive session credentials; mishandling them can enable account takeover or unauthorized access, especially when stored in predictable temporary locations or consumed by shell tools.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file-ingestion path reads arbitrary local files and automatically copies their full contents into an external IMA note, local KB files, and memory logs without any sensitivity check, path restriction, or explicit consent gate. In an agent setting, this can exfiltrate secrets, tokens, SSH keys, customer data, or other private documents simply by supplying a file path.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill is designed to persist arbitrary user text and externally fetched content into several long-term stores, increasing data exposure surface and retention duration. In a knowledge-base ingestion context this may be intentional, but without minimization, retention controls, or consent boundaries it creates real confidentiality risk if sensitive material is processed.

Ssd 3

High
Confidence
98% confidence
Finding
The text and file paths unconditionally duplicate full content into external notes, local markdown files, and memory records, creating broad and durable dissemination of any secrets or sensitive business data contained in the input. Because the feature accepts arbitrary local file paths, the skill context makes this especially dangerous for accidental exfiltration from the host environment.

Ssd 3

Medium
Confidence
87% confidence
Finding
The YouTube flow archives full subtitle transcripts plus summaries across IMA, local KB, and memory, which exceeds minimal processing and can create copyright, privacy, and over-retention issues. While less severe than local-file exfiltration, it still broadens disclosure and storage of third-party content beyond what many users would expect.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal