ClawHub

Changelog

Security checks across malware telemetry and agentic risk

Overview

This looks like a changelog generator, but the included script is mostly a local text-history/export utility for user inputs.

Review this carefully before installing. Use it only if you are comfortable with a local utility that may keep command text under `~/.local/share/changelog/` and export that history. Do not enter secrets, customer data, private incident notes, or confidential release details unless local plaintext retention is acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The skill presents itself as a simple changelog utility, but the described behavior includes persistent storage, logging/history, exporting, and broad generic operations beyond the narrow stated purpose. This mismatch is dangerous because users or orchestrators may invoke it with low scrutiny, while it can retain potentially sensitive input data in local storage and expose it through search/export features.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script presents itself as a changelog utility, but its implemented behavior is largely a generic input collection and export mechanism. This mismatch is security-relevant because users may provide sensitive project or operational data under false expectations, and the tool silently retains and exposes that data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script creates a persistent data directory and writes arbitrary user input to log files in the user's home directory without explicit consent or retention disclosure. This can capture secrets, internal notes, or other sensitive content that users may assume is transient.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The help text advertises functional operations like validation, generation, formatting, and conversion, but the code only records the supplied input. This deceptive interface can induce users to submit sensitive content for processing when no such processing occurs, turning the tool into a disguised data sink.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The manifest description uses a broad invocation cue ('Use when you need changelog'), which is vague enough to trigger the skill in loosely related contexts. Overly broad routing language increases the chance the agent calls this skill unnecessarily, exposing user inputs to its storage or processing behavior when a narrower tool would be more appropriate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
At this location, user-supplied command arguments are appended directly to persistent plaintext logs without warning. If users paste tokens, credentials, proprietary text, or incident data, the script creates a durable local record that may later be read by other processes, backups, or exports.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The export feature aggregates all stored plaintext logs into new files, increasing the exposure surface of previously collected data. It also emits JSON and CSV using unescaped user-controlled values, which can cause malformed output and make downstream handling riskier.

Ssd 3

Medium
Confidence
97% confidence
Finding
Across the script, all command inputs are persistently stored in plain text and later exposed through status, search, recent, and export functionality. In the context of an agent skill advertised as a changelog tool, this broad retention and replay behavior materially increases the risk of credential leakage, proprietary data disclosure, and unintended surveillance of user activity.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal