ClawHub

GOG Sync

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward GOG backup and sync helper, with the main risk being ordinary rsync overwrite or unintended remote copy behavior that users should understand before running it.

Before installing, inspect sync.sh and replace the placeholder user@remote destinations with a remote host you control. Keep GOG_CONFIG_DIR limited to game configuration folders, and consider a manual backup or rsync dry run before first use because sync tools can overwrite or propagate unwanted files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README promotes remote syncing of save files and configuration data, including user-customized files, but does not warn about overwrite, data loss, exposure of sensitive local paths/settings, or unintended transfer to a remote host. In a tool designed to automate backups and sync operations, missing safety guidance materially increases the chance of destructive or privacy-impacting misuse by users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The manifest explicitly advertises synchronization of save files and custom configurations across devices, but it provides no warning that these actions can overwrite local state or propagate unwanted changes. In a sync tool, silent bidirectional or one-way propagation of saves, mods, keybinds, and settings can cause data loss, broken game setups, or accidental spread of sensitive user data between systems.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The command descriptions for sync, save sync, and config sync present potentially destructive operations as routine actions without disclosing that they may modify or overwrite existing user data. Because this skill manages game saves and custom configs, missing warnings materially increase the chance of accidental destructive use, especially when users assume sync is non-destructive or reversible.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal