ClawHub

Local Context Bridge

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent local-document search purpose, but it needs Review because it encourages automatic access to private/internal files and snippets without clear user consent boundaries.

Install only if you are comfortable with an agent indexing and searching selected local folders. Limit watched directories, avoid secrets or highly sensitive records, review the external cbridge-agent package before installing or updating it, and configure your workflow so the agent asks before searching or reading private documents.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill description is broad enough to activate on many requests involving 'local files, private data, or internal knowledge,' which can cause unnecessary access to sensitive local content. In this context, overbroad routing is dangerous because the tool returns file paths and snippets from personal or internal documents, increasing the chance of privacy-invasive retrieval without a narrowly scoped user request.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The instruction to 'act autonomously' and invoke local semantic search based on inferred intent lacks meaningful constraints, consent boundaries, or sensitivity checks. Because this skill targets private and internal documents, autonomous activation materially raises the risk of unauthorized inspection and disclosure of sensitive snippets and file paths.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The description explicitly promotes searching personal and internal documents but does not warn the user that doing so may expose sensitive local content, metadata, and file paths to the agent workflow. In a skill centered on private data retrieval, omission of privacy warnings makes accidental over-collection more likely and increases the chance users do not understand the access implications.

Missing User Warnings

High
Confidence
98% confidence
Finding
The instruction to search local documents 'without explicitly asking the user, unless authorization is required' is a direct privacy and consent failure for a tool designed to access private/internal files. In this context, the lack of an up-front warning or consent gate is especially dangerous because even snippets can leak confidential information and file-system metadata unrelated to the user's immediate request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal