ClawHub

Pantry

Security checks across malware telemetry and agentic risk

Overview

Pantry is a local pantry logging tool that stores and exports user-entered household data on disk, with no evidence of hidden network access, credential use, or destructive behavior.

Install only if you are comfortable with pantry entries, costs, reminders, and activity history being saved in plaintext under ~/.local/share/pantry and included in exports. Avoid entering sensitive household details on shared machines, review export files before sharing them, and manually delete the pantry data directory if you want to clear history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (6)

Missing User Warnings

Low
Confidence
77% confidence
Finding
The skill states that all actions are logged with timestamps and stored persistently under a local directory, but it does not clearly warn users about retention, sensitivity, or how to delete records. Even for a pantry tool, logs and exported files can reveal household routines, purchasing habits, and potentially sensitive notes; the risk is amplified because the command set supports generic logging and reporting beyond simple stock tracking.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script stores arbitrary user input verbatim in persistent plaintext logs under the user's home directory without any notice, minimization, or retention controls. Because pantry inputs can contain shopping habits, schedules, reminders, or other personal notes, this creates avoidable privacy exposure if the host is shared, backed up, or later inspected by other software.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The export feature copies all accumulated user entries into new aggregate files, increasing the number of locations where sensitive content is stored and making bulk disclosure easier. Without warning, access controls, or redaction, users may unknowingly create broadly readable snapshots of their historical data.

Ssd 3

Medium
Confidence
92% confidence
Finding
The design intentionally records and later reuses arbitrary user-provided content across commands, which turns transient inputs into persistent plaintext history. In a household-management context, that can expose behavioral patterns, schedules, food inventory, and other personal data beyond what users may expect from a simple CLI helper.

Ssd 3

Medium
Confidence
95% confidence
Finding
By aggregating every log into export files, the command creates a convenient single target containing the user's entire stored history. Consolidation materially raises disclosure risk because an attacker, another local user, or backup/sync tooling only needs access to one file to obtain all entries.

Ssd 3

Medium
Confidence
93% confidence
Finding
The status, search, and recent commands reveal previously stored user content in plain text, which can expose sensitive history to anyone with terminal access or to logs/screen capture mechanisms. In particular, the status command includes the last history entry, causing incidental disclosure even during a simple health check.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal