ClawHub

Genai Toolkit

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a local plaintext GenAI logbook, not the advertised MCP/database bridge, and it encourages users to store API keys in logs.

Install only if you want a local plaintext logbook for GenAI notes, not an MCP/database bridge. Do not enter real API keys, database credentials, proprietary prompts, or sensitive evaluation data; anything logged can remain under ~/.local/share/genai-toolkit and later be searched or exported.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file describes a local CLI note-taking and export tool, while the skill metadata claims MCP/database bridging and evaluation tooling. In an agent ecosystem, this type of semantic mismatch is dangerous because routing, permission decisions, and user trust often depend on the declared capability, not hidden secondary behavior.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Claiming that data 'never leaves your machine' is misleading when the same documentation promotes exporting stored entries for sharing and explicitly mentions logging sensitive material like API keys. Users may rely on the privacy claim and record secrets or sensitive operational data without appreciating the persistence and exfiltration pathways created by exports and local files.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The script's advertised purpose is to bridge AI models to databases via MCP, but the implemented functionality is only a local logging CLI. This mismatch is dangerous because users may provide database connection details, prompts, evaluation data, or other sensitive operational inputs under false expectations, causing unnecessary local persistence and possible exposure.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
Commands such as configure, benchmark, compare, evaluate, and fine-tune imply substantive AI or database operations, but they only append arbitrary user input to log files. In the context of a purported AI/database tool, this can trick users into entering secrets, prompts, model settings, or infrastructure data that are then retained on disk in plaintext.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script performs broad local collection, search, and export of user-supplied content without a clear functional need tied to the stated database-bridge purpose. This increases the attack surface for local data exposure because sensitive inputs become centrally stored, searchable, and easy to re-export in bulk.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation explicitly encourages users to log 'API keys' and environment settings, which promotes insecure secret handling by storing credentials in plaintext local logs. Even without network behavior, those secrets become exposed to other local users, backups, malware, accidental exports, terminal history, and support bundles.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
User input is written directly to local log files without a clear warning or consent flow. In a tool marketed for AI/database workflows, users may reasonably paste secrets, credentials, prompts, or proprietary data, which then remain stored in plaintext and may be exposed to other local users, backups, or later exports.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The export feature aggregates all logged content into new files without warning, duplicating potentially sensitive history and expanding its exposure. This is particularly risky because it creates consolidated plaintext artifacts that are easier to copy, share, or accidentally disclose than the original per-command logs.

Ssd 3

Medium
Confidence
93% confidence
Finding
The toolkit persistently records arbitrary user inputs and provides recent, search, and export functions that surface them in plaintext. In the claimed skill context, this makes the issue more dangerous because users may enter AI prompts, evaluation data, model settings, or database-related secrets under the assumption they are being processed rather than archived.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal