ClawHub

Knowledge Graph

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local knowledge-graph skill, but it broadly changes agent behavior and can persist personal details and secrets by default.

Install only if you intentionally want an always-on local memory system that modifies agent instructions and can persist sensitive context. Review the injected agent block, narrow what the agent may store, avoid production credentials in the built-in vault, and treat exports, summaries, and visualizations as potentially private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The install flow explicitly patches the agent's instruction file so the skill can run autonomously and alter future agent behavior beyond a local data utility. That is a system-affecting modification with persistence, and in this context it meaningfully expands privilege and execution scope without strong user review or containment.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The article-extraction design asks the agent to generate and iterate bash scripts, embedding validation into a script loop rather than keeping processing inside a constrained application path. This increases the attack surface from knowledge extraction to arbitrary shell workflow generation, which can be abused if article content, prompts, or templates influence commands.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The serializer appends `%vault` entries containing vault key names directly into the KG summary output. Even without exposing secret values, credential identifiers reveal what sensitive integrations exist and can aid reconnaissance, prompt targeting, or social-engineering against the agent, and this disclosure is not necessary for a discoverability-oriented KG index.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The encrypted vault and the decryption key are stored in the same skill directory, so anyone who can read the skill files can recover both and decrypt all stored secrets. In a skill explicitly designed to proactively capture credentials and API keys, this defeats the security boundary implied by an 'encrypted secret store' and materially increases the chance of credential compromise.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill metadata says credentials or API keys should be 'store[d] in vault', creating an expectation of secure secret handling, but the implementation merely writes an encrypted blob plus its locally stored key inside the skill folder. Because this skill is meant to proactively ingest sensitive data, the weak storage model turns routine filesystem access, backup exposure, or package sharing into full secret disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes an installer that modifies agent instructions and enables autonomous behavior, but it does not present this as a prominent system-level warning with informed consent. Users may treat installation as a local feature setup when it actually changes how the agent operates across sessions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README encourages storing API keys and retrieving them through commands, but it lacks strong warnings about sensitivity, local compromise risk, key rotation, access controls, and safe operational boundaries. In an agent context, normalizing conversational storage of secrets can lead to accidental retention, disclosure in context, or misuse by other tooling.

Vague Triggers

High
Confidence
96% confidence
Finding
The skill is explicitly configured to trigger on extremely broad categories of ordinary conversation, including people, places, preferences, habits, life events, projects, and general knowledge artifacts. This creates a high risk of silent over-collection and retention of user data without clear necessity or per-item consent, increasing privacy exposure and the chance that sensitive information is stored when the user did not intend it.

Missing User Warnings

High
Confidence
98% confidence
Finding
The description explicitly says credentials or API keys should be stored in the vault, but it does not pair that behavior with a strong user warning, informed-consent requirement, or safe-handling constraints at the point of collection. In context, this is especially dangerous because the skill is designed to act proactively, so secrets may be captured and retained from normal conversation without the user realizing they are being persisted.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Including vault key names in generated output without disclosure or warning leaks sensitive security metadata into downstream consumers of the summary. In this skill's context, the knowledge graph is designed to be proactively queried and surfaced to agents, which increases the chance that credential-related identifiers propagate widely through prompts, logs, or summaries.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script mutates the knowledge graph in place and immediately persists changes with save(store) after applying heuristic nesting, edge removal, and attribute pruning, without any confirmation, dry-run gate, backup, or transactional safety. In this skill context, that is more dangerous because the knowledge graph is intended to be used proactively and persistently across many conversations, so a mistaken consolidation can silently corrupt long-lived structured knowledge and remove relationship data users may rely on later.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This script scans workspace memory files and prints extracted candidate entities, including labels derived from potentially sensitive content such as IPs, hostnames, Telegram handles, project names, and decisions. Even though it does not dump full file contents, the output can still disclose private operational or personal data to logs, terminals, CI output, or other observers without consent, and the skill’s context makes this more concerning because it is designed to proactively ingest broadly scoped personal and infrastructure knowledge.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The installer injects a persistent rule telling the agent to "Always add tags — synonyms, translations, abbreviations for cross-language search" without any user consent, scoping, or data-minimization controls. In a knowledge-graph skill that automatically records people, places, preferences, habits, and other personal context, this expands stored personal data and can create inferred or transformed copies of sensitive information beyond what the user originally shared.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill is designed to automatically persist user-provided entities, preferences, relationships, life events, and even credentials across sessions. In a conversational system this creates a substantial retention and privacy risk because sensitive information may be captured without contextual consent and later resurfaced, leaked, or used outside the original purpose.

Ssd 3

Medium
Confidence
92% confidence
Finding
Having the agent read a session-start summary of accumulated graph contents places historical structured knowledge directly into normal model context, increasing the chance that personal or sensitive data influences unrelated responses or is disclosed through prompt injection and context leakage. The danger is higher here because the graph is expressly meant to aggregate broad user facts over time.

Ssd 3

High
Confidence
99% confidence
Finding
The skill instructs the agent to proactively capture and retain a very broad set of personal, behavioral, relational, and secret data categories, including locations, life events, routines, preferences, organizational relationships, and credentials. The surrounding context makes this more dangerous, not less, because the skill emphasizes persistent storage, automatic use, install-time instruction patching, and routine enrichment of structured profiles, which could enable large-scale privacy invasion, sensitive profiling, and long-term compromise if the store is misused or exposed.

Ssd 3

High
Confidence
99% confidence
Finding
The generated agent block instructs the model to proactively and automatically persist broad categories of user data, including credentials/API keys, preferences, relationships, places, habits, milestones, and article-derived knowledge, into a long-lived knowledge store. This is dangerous because it normalizes collection of highly sensitive data without explicit consent per item, purpose limitation, retention controls, or strong separation of secrets, increasing the risk of privacy violations, over-collection, and accidental disclosure if the store or summaries are accessed by other tools or sessions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal