ClawHub
Back to skill

Security audit

Lance Store

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate local dataset storage skill, but it needs review because it can persist and delete local data and some write paths are broader than the documentation suggests.

Install only if you want a local persistent database tool that can create, read, overwrite, back up, and delete datasets. Avoid storing secrets, credentials, personal data, or regulated information unless you add your own controls; use simple dataset names without path characters; and make backups before any update, delete, or drop operation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly states that datasets are created and stored on the current path and documents commands that create, update, back up, and delete datasets, which implies filesystem write capability. Having undeclared file-write behavior reduces transparency and can lead to unintended persistence or modification of local files, especially in agent environments that rely on manifest permissions for user trust and policy enforcement.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The documentation claims dataset deletion requires confirmation when no backup exists, but no actual confirmation mechanism is shown in the interface. In an agent context, a single documented delete command without enforced confirmation can enable accidental or automated destructive actions, causing irreversible data loss.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill includes administrative capabilities to back up and delete datasets in addition to basic persistence and retrieval. In an agent setting, this expands the attack surface and enables data destruction or uncontrolled duplication if these functions are invoked by prompts or other components without strict authorization and user awareness.

Context-Inappropriate Capability

Low
Confidence
75% confidence
Finding
Returning the full dataset filesystem path discloses internal storage layout that is not necessary for ordinary data-store usage. This information can aid chaining attacks, such as targeting predictable directories, probing deployment structure, or facilitating misuse by other tools with filesystem access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages storing conversation context and research data across sessions, but it does not warn users about retention, privacy, or the possibility of persisting sensitive or regulated data. In an agent skill, this is risky because users may assume transient handling while the skill normalizes long-term storage of potentially personal or confidential information.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases include very common language such as 'remember this', 'store this data', and 'store for later', which can cause accidental invocation during normal conversation. Because the skill performs persistent file-backed storage and includes modification/deletion capabilities, overly broad triggers increase the risk of unintended data retention or manipulation without clear user intent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill documents a destructive drop-dataset operation but does not provide a strong explicit warning about permanence and impact at the point of use. In a persistence skill, deletion commands are especially sensitive because users may assume operations are reversible; absent strong warnings and safeguards, accidental invocation can result in permanent data loss.

Missing User Warnings

High
Confidence
84% confidence
Finding
The CLI exposes an irreversible drop-dataset operation with no visible confirmation, safeguard, or friction before deleting an entire dataset. In a persistence skill intended to store conversation context and research data, accidental or scripted invocation could cause significant integrity and availability loss across sessions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The drop_dataset function irreversibly removes stored data and metadata without any built-in confirmation, soft delete, or safety interlock. In an LLM-agent workflow, a mistaken prompt, prompt injection, or indirect tool invocation could trigger permanent data loss with little opportunity for recovery.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The backup operation writes copies of datasets to a caller-controlled relative location without any user-facing disclosure or confirmation. Even though the path is constrained against absolute and parent traversal, this can still create unexpected duplicate sensitive data on disk and bypass normal data lifecycle expectations.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal