ClawHub

automation-skill

Security checks across malware telemetry and agentic risk

Overview

This skill does what it claims: it runs web searches across search engines and stores local reflection notes, with no evidence of hidden exfiltration or destructive behavior.

Install only if you are comfortable with search queries being sent to external search engines and reflection entries being stored locally under ~/.qclaw/memory. Do not put secrets, credentials, private project details, or sensitive personal data into searches or reflection notes, and review any additional skill before installing it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The report subcommand accepts an arbitrary output path and writes the generated report directly with Path(args.output).write_text(...). In an agent/skill context, this enables writing user-influenced content to any file the process can access, which exceeds the tool's stated memory/reporting purpose and can overwrite shell configs, app settings, or other sensitive files.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill uses broad trigger language that overlaps with ordinary conversation, increasing the chance of accidental activation. In this context, unintended activation matters because the skill may send user text to external search engines or write records to disk without the user's specific intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger table contains ambiguous conditions such as general questions and memory-related prompts without clear scoping. This can cause over-triggering and unintended access to local memory files or network actions, especially in a conversational agent where similar phrases occur naturally.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The search workflow description does not warn that user queries will be transmitted to multiple third-party search engines. This is dangerous because sensitive prompts, internal project names, credentials, or personal data could be disclosed externally through accidental or unaware use, and multiple-engine fan-out magnifies the exposure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The self-reflection feature stores potentially sensitive behavioral and project-related notes persistently on disk, but the description does not warn users about retention or storage locations. This creates confidentiality and privacy risk because reflective entries may include internal incidents, user data, or sensitive operational mistakes that remain accessible long-term.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal