ClawHub

Grammar Check

Security checks across malware telemetry and agentic risk

Overview

The grammar helper is mostly ordinary, but the package includes an under-disclosed generic local data utility that can save and re-display user input.

Review before installing. The main grammar templates look low risk, and there is no evidence of network exfiltration or destructive behavior, but avoid putting sensitive drafts or private text into the auxiliary utility unless you are comfortable with it being saved locally. Prefer the grammar-specific script/instructions, or ask the publisher to remove or clearly document the generic storage utility.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The script's implemented behavior does not match the advertised grammar-checking purpose and instead provides a generic local data-management interface. Capability mismatch is dangerous because it can mislead users and reviewers into granting trust or permissions to a tool that performs unrelated data collection and persistence, which creates supply-chain and insider-risk concerns even if no overtly malicious code is present.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
Describing the file as a 'Multi-purpose utility tool' directly contradicts the skill's declared identity as a grammar-check assistant. This inconsistency is a trust and transparency issue because it obscures what the skill actually does, making it easier to hide unexpected behavior from users and automated review processes.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script creates persistent storage, logs activity, and exports retained records despite these capabilities being unrelated to grammar correction. In the context of a language-assistance skill, this unnecessary data retention increases privacy risk because user inputs may be stored locally and later exposed through list/export operations without a clear need.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The logging helper silently appends command details to a persistent history file without notifying the user. Hidden retention is risky because user-provided text may contain sensitive content, and the skill context makes this more concerning since grammar tools commonly process drafts, emails, and other confidential writing.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The add command writes arbitrary user-supplied content to a persistent database file with no warning, and the stored content can later be exposed through list/export. For a purported grammar-check skill, this is especially problematic because users may submit sensitive text expecting transient processing rather than durable local storage.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal