ClawHub
Back to skill

Security audit

Creative Thought Partner

Security checks across malware telemetry and agentic risk

Overview

This is a conversational ideation skill that may save session notes locally, but it does not show malicious behavior or unsafe access.

Install only if you are comfortable with brainstorming sessions being written to a local markdown file under `creative-thoughts/`. Avoid sharing confidential business plans, unpublished ideas, or personal reflections unless you are willing to review, redact, or delete the saved session file afterward.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to trigger in many normal ideation or conversational contexts, which can cause unintended activation and collection of user inputs outside a narrowly expected use case. In this skill, that risk is amplified because later instructions include exporting/saving session content, so accidental invocation can lead to unnecessary retention of sensitive brainstorming or personal material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file declares a generated output location for session artifacts without any instruction to notify the user that their conversation may be written to persistent storage. Because this skill encourages open-ended discussion of ideas, methods, and beliefs, users may share sensitive personal, commercial, or pre-publication information that they do not expect to be retained.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The session export step explicitly instructs saving a narrative arc, breakthroughs summary, full transcript, and session notes, but does not require warning the user or asking permission first. This creates a clear privacy and data-governance risk because the transcript may contain confidential ideas, business strategy, or personal reflections that the user assumed were ephemeral.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal