ClawHub

Ai Session Analysis

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it broadly reads private AI assistant histories and has under-disclosed report-sharing and browser-network risks.

Install only if you intentionally want the agent to inspect local AI assistant histories across Claude Code, Codex, and Kimi. Treat both terminal output and generated HTML as private, use --no-open if you do not want the report opened automatically, and avoid sharing the report because it embeds sensitive session details and loads a CDN script.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generated report loads Chart.js from a public CDN at runtime, which creates an unexpected outbound network dependency for a tool advertised as analyzing local session data. This can leak report access metadata such as IP address, timing, and user agent, and it also introduces supply-chain risk if the CDN resource is unavailable or compromised.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger description is broad enough to invoke the skill for generic requests about coding sessions or work summaries, increasing the chance it runs on ambiguous prompts without the user realizing it will inspect local transcript stores. In context, that broad activation surface is more dangerous because the backing scripts access high-sensitivity behavioral data across multiple tools.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script recursively reads local Claude session transcript files from the user's home directory and analyzes message/tool activity without any built-in user warning, consent prompt, path confirmation, or minimization controls. In a session-analysis skill, access to these files is functionally expected, but the data is still sensitive because transcripts can contain prompts, code context, project names, and workflow metadata; silent collection increases privacy risk and can expose more data than the user realizes.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Codex and Kimi analyzers similarly enumerate and parse session files under hidden home-directory paths without any user-facing notice or consent mechanism. Although this aligns with the skill's stated purpose, these stores may reveal command history, tool usage, timestamps, and project associations, so the lack of disclosure makes the skill more dangerous in practice because users may not appreciate the breadth of local data being inspected.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script aggregates highly sensitive local session artifacts, including shell commands, project names, file paths, and web searches, and writes them into an HTML report without an explicit warning, minimization, or consent checkpoint. In the context of AI coding assistant sessions, these fields can expose confidential codebase details, secrets-adjacent operational behavior, and private research activity if the report is shared, opened by other software, or stored insecurely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This script enumerates and summarizes session data from hidden home-directory paths such as ~/.claude/projects, ~/.codex/sessions, and ~/.kimi/sessions, which can contain sensitive prompts, commands, file paths, search queries, and error messages. Although the tool is clearly intended for local session analysis, it performs broad collection and prints excerpts without any consent flow, minimization, or warning, creating a real privacy and data-exposure risk if invoked unexpectedly or used in shared/logged environments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal