ClawHub

thinking-model-enhancer

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate local decision-support skill, but it can keep prompts, summaries, and usage history on the user's computer for memory features.

Install this only if you are comfortable with a local memory feature. Avoid entering secrets or highly sensitive personal or business details unless you accept that summaries or session data may remain under ~/.claude/thinking_models, and review any troubleshooting or fix-script recommendations before acting on them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises substantial capabilities such as memory integration, external research, troubleshooting flows, and last-resort script creation, but does not declare corresponding permissions. This creates a trust and review gap: operators may approve or auto-enable the skill assuming it is low-privilege when its instructions clearly contemplate file, network, and shell-backed actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose frames the skill as a decision-quality enhancer, but the behavior described by the analysis extends into persistent storage, trigger automation, command-style interfaces, batch workflows, and initialization side effects under ~/.claude/thinking_models. That mismatch is dangerous because it hides operational scope and persistence, making users and reviewers less likely to recognize data retention, automation, and unintended execution risks.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module persists cross-session data to predictable local files under the user's home directory and records arbitrary session dictionaries without minimization. In this skill context, that can include sensitive conversation content, summaries, ratings, and model choices, creating unnecessary data retention and local disclosure risk beyond what is needed for optimization.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
SessionData explicitly includes raw user_input and result_summary, and the module later serializes session records to disk. For a thinking-model enhancer, storing full natural-language content is broader than necessary and risks leaking secrets, personal data, or proprietary prompts from prior sessions.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The activation condition ('when user requests improved decision-making... or comparing and integrating thinking approaches') is broad enough to match many ordinary conversations. Overbroad triggering can cause the skill to activate unexpectedly, injecting memory access, external research, or troubleshooting workflows into contexts where the user did not request them.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The 'When to use' section defines scope in broad, ambiguous terms without boundaries, which increases the chance of accidental invocation and role creep. In this skill, that matters because the broader document encourages memory-system use, automatic mode selection, and troubleshooting/research actions that can extend beyond harmless guidance.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
Automatic problem-type detection based on keyword lists, especially narrow language-specific ones, can misclassify user intent and invoke the wrong workflow without informed consent. In this skill, misclassification is more dangerous because the selected modes may lead to memory queries, external research, or troubleshooting actions that exceed what the user asked for.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill declares automatic activation on very broad phrases such as improved decision-making and optimizing decision-making processes, which are common across many ordinary conversations. This can cause the skill to activate unexpectedly, expanding its influence over unrelated tasks and increasing the chance that its memory-integrated behavior is invoked without clear user intent or informed consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file describes retrieving past thinking models from memory, comparing them, and storing refined models, but provides no user-facing disclosure about what data is accessed, retained, or reused. In a decision-support skill, this creates privacy and data-governance risk because sensitive user prompts, reasoning artifacts, or historical context may be persisted or repurposed without transparency or consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The performance tracker stores portions of user problem text, timestamps, model identifiers, and result summaries to a persistent JSON file under the user's home directory without any explicit consent, minimization, or retention controls. If users submit sensitive prompts or proprietary data, this creates a local privacy exposure and increases the chance of unintended disclosure through backups, shared machines, or other local access.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The configuration manager automatically creates and writes persistent files in the user's home directory without explicit notice or consent. Although the stored data appears non-secret, silent persistence can surprise users, affect behavior across sessions, and create a modest privacy/integrity concern in environments where local state should be minimized.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
When triggers match user input, the module persists `last_triggered` timestamps to disk, meaning user-derived interaction metadata is stored without any visible notice or consent mechanism. In an agent skill context, silent persistence of behavioral metadata can create privacy and auditability concerns, especially across sessions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Template management creates, updates, and deletes persistent files under the user's home directory without any explicit disclosure or consent flow. In a skill environment, undisclosed writes to hidden local storage can violate user expectations and may expose sensitive workflow data if templates contain private content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Custom model configuration is persisted and deletable from hidden local storage with no visible disclosure to the user. Because modifications and performance notes may contain sensitive prompts, preferences, or workflow details, silent persistence increases privacy risk and can lead to unintended long-term data retention.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code writes session and pattern data to disk with no visible disclosure, prompt, or consent flow, so users may not realize their inputs are retained across sessions. Hidden persistence increases privacy risk because sensitive content may remain locally long after the interaction ends.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The interface exposes a destructive 'clear memory' action that immediately deletes historical records based solely on a parsed day count, with no confirmation, authorization check, preview, or undo. In a skill that stores user problem history, this can lead to accidental or induced loss of audit/history data and may erase useful or sensitive records without user awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The module persistently stores problem summaries, output summaries, findings, ratings, and timestamps under the user's home directory without any consent, minimization, or encryption. Even though this is a local file write, these records can contain sensitive prompts or model outputs and may be exposed to other local users, backups, or later compromise of the host.

Ssd 3

Medium
Confidence
96% confidence
Finding
Cross-session learning stores raw session details in plaintext JSON files, which creates a straightforward retention and leakage surface for natural-language secrets and personal data. Because this skill explicitly integrates memory across sessions, the context makes the issue more dangerous: it normalizes accumulation of sensitive historical content over time.

Ssd 3

Medium
Confidence
96% confidence
Finding
The history query feature is built around retaining and later retrieving prior problem summaries and output summaries, which are derived from user-provided content. In a thinking/analysis skill, users may submit sensitive operational details, credentials, incidents, or proprietary material; storing and resurfacing that data without clear privacy controls can expose confidential information to later users or components.

Ssd 3

Medium
Confidence
97% confidence
Finding
The batch processing path automatically stores snapshots for every processed problem, including truncated problem text, generated output summaries, findings, timestamps, and a hash of the input, without an explicit consent boundary. Automatic persistence expands privacy risk because bulk inputs often contain larger volumes of sensitive data, and users may not expect all submissions to become queryable historical records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal