ClawHub

Introspect

Security checks across malware telemetry and agentic risk

Overview

Introspect is a local Claude Code session analyzer whose privacy-sensitive history access is disclosed and aligned with its purpose.

Install only if you are comfortable with a local tool reading recent Claude Code conversations. Start with a small date range and a specific project, review generated JSON and markdown reports before sharing, and delete reports that may contain sensitive snippets or project details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill instructs the agent to execute a local Python script and write a markdown report, but it declares no permissions. This creates a capability/permission mismatch that can bypass user expectations and platform governance, especially because the script reads potentially sensitive session history and writes derived analysis to disk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The package defines a postinstall path that immediately executes the CLI during npm installation, causing code to run before the user explicitly invokes the tool. For a session-analysis skill, automatic execution is unnecessary to core package installation and creates a supply-chain risk surface where install-time code could modify files, collect data, or perform network actions without clear consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly says the tool reads Claude Code conversation history and extracts conversation snippets, but its privacy section understates the sensitivity by saying 'Local only' and 'No code in reports' without clearly warning that prompts may contain secrets, credentials, proprietary code, or personal data. Even if processing is local, collecting and surfacing snippets from session logs can expose highly sensitive material to the report, terminal output, screenshots, or other local users.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The manifest's postinstall script causes arbitrary package code to run automatically on install, with no warning in package.json itself and no indication that such execution is essential for functionality. In the context of a developer tool that may access session data, this is more dangerous because installation could trigger unexpected local inspection or persistence actions before informed user approval.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill advertises broad natural-language triggers such as 'analyze my sessions', 'how am I performing', and 'developer profile', which can overlap with ordinary conversation and cause the skill to activate unexpectedly. Because this skill reads local session history and generates a report from it, accidental invocation can expose more user data than intended and launch privacy-sensitive analysis without a clearly scoped request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script reads sensitive Claude history and session files from the user's home directory and later persists derived analysis without any consent prompt, minimization, or privacy notice in the code path. Because these sources can contain confidential prompts, code snippets, project names, and workflow details, silently processing them increases the chance of unauthorized collection and secondary disclosure.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script writes detailed session-derived data, including message snippets, timestamps, project names, branches, files touched, and token metadata, into a JSON report under a persistent directory without any consent gate, minimization, or warning. This can unintentionally preserve and expose sensitive Claude conversation content or local development details to other local processes, backups, or future sharing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script is designed to read sensitive local Claude history and session files from the user's home directory, which may contain prompts, project context, file paths, and workflow metadata. In a skill context, undisclosed access to these stores is privacy-sensitive because users may invoke the skill for analysis without realizing the breadth of local data being consumed.

Ssd 3

High
Confidence
97% confidence
Finding
The snippet extraction logic copies substantial user message content, timestamps, frustration moments, and related context into a structured output intended for downstream AI analysis. This is dangerous because it republishes potentially sensitive conversation data beyond its original storage location, increasing exposure of secrets, proprietary code, personal information, and internal project context.

Ssd 3

Medium
Confidence
91% confidence
Finding
The parser preserves tool names and slices of file paths or commands from tool inputs into the exported dataset. Even truncated paths and command strings can reveal repository structure, usernames, infrastructure names, commands run, or sensitive filenames, creating metadata leakage that may be valuable to an attacker or inappropriate for downstream sharing.

Ssd 3

High
Confidence
98% confidence
Finding
The final execution path both writes the full analysis dataset to disk and prints it to stdout, which amplifies the chance of unintended disclosure through logs, terminals, calling processes, or later local access. In the context of a session-introspection skill, this is especially risky because the emitted JSON includes derived analytics plus sampled session content and metadata sourced from private Claude usage history.

Session Persistence

Medium
Category
Rogue Agent
Content
---

> You are a **developer psychologist**. Not a calculator, not a template filler. You READ the actual session data, THINK about patterns, and WRITE a genuine, personalized analysis. Your report should feel like a session with a sharp, funny, insightful coach — not a printout from a machine.

## Phase 1: Collect Input
Confidence
74% confidence
Finding
WRITE a genuine, personalized analysis. Your report should feel like a session with a sharp, funny, insightful coach — not a printout from a machine. ## Phase 1: Collect Input Ask the user: 1. **Dat

Session Persistence

Medium
Category
Rogue Agent
Content
- Do they pivot and show Phoenix behavior?
- Do they give up (abandon session)?

Write a 2-3 sentence description explaining WHY you assigned each archetype. Use specific evidence from the sessions.

### 3.3 — Behavioral Patterns (The Psychology Part)
Confidence
71% confidence
Finding
Write a 2-3 sentence description explaining WHY you assigned each archetype. Use specific evidence from the sessions. ### 3.3 — Behavioral Patterns (The Psychology Part) Read the session snippets ca

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal