ClawHub

Clipboard Manager

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local clipboard-history tool, but it can save private clipboard text on disk while monitoring is running.

Install only if you are comfortable with local clipboard history being saved in plaintext. Avoid running the monitor while copying passwords, one-time codes, API keys, private messages, or financial information, and delete or clear ~/.clipboard_history.json on shared or sensitive machines.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are very broad generic terms for clipboard activity, which can cause accidental invocation during ordinary user conversation. In the context of a clipboard-history skill, unintended activation is risky because it may expose or manipulate sensitive clipboard contents when the user did not mean to access stored history.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill description advertises automatic saving of clipboard history but does not warn that clipboard contents often include highly sensitive information like passwords, one-time codes, financial data, or personal messages. Without clear warnings and retention guidance, users may unknowingly persist secrets to disk and later expose them through search, history display, or paste operations.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The monitor loop continuously captures clipboard contents and persists them to ~/.clipboard_history.json without user consent flow, sensitive-data filtering, or any file-permission hardening. Clipboard contents commonly include passwords, tokens, API keys, private messages, and other secrets, so silent persistence materially increases the risk of credential exposure and privacy compromise.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal