ClawHub

Sdw Kb

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent knowledge-graph purpose, but it can persistently index local content and offers network, server, watch, and remote database modes with broad activation and limited guardrails.

Install only if you are comfortable with a skill that can index local folders into a persistent knowledge base. Use explicit /sdw-kb commands, review the target path before running, avoid sensitive repositories unless needed, and be cautious with add <url>, --neo4j-push, --mcp, --watch, and hook install because those modes can fetch remote content, transmit graph data, expose a graph to agents, or keep processing files over time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill supports fetching arbitrary URLs and saving them into the knowledge-base workflow, which expands it from local graph generation into unrestricted network retrieval. That creates SSRF/privacy risks, can ingest attacker-controlled content, and may exfiltrate browsing intent or pull in sensitive internal resources if URL handling is not constrained.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Direct Neo4j push introduces remote write capability beyond simple file-based graph generation. If invoked with attacker-influenced parameters or on sensitive corpora, it can transmit extracted data to an external database, creating confidentiality and integrity risks.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Starting an MCP stdio server exposes the generated graph through a long-lived runtime/service interface not reflected in the core skill description. This increases attack surface and can enable unintended access patterns or data exposure from a persistent knowledge base.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Watch mode and hook/integration features create ongoing automation that can repeatedly process files or modify developer workflow beyond a one-shot graph build. That persistence can surprise users, repeatedly ingest new data, and widen the blast radius if the skill is triggered in a sensitive repository.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger condition is overly broad and can activate on common user requests about knowledge graphs even without explicit invocation. For a skill that creates persistent storage, performs optional network actions, and can start services/hooks, accidental triggering materially increases the risk of unintended side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill persistently writes knowledge bases and outputs under `~/.sdw/knowledge_bases/` and auto-creates directories, but this is not clearly disclosed up front in the description. Hidden persistence is risky because users may not realize local copies, reports, and derived graphs are being retained across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill includes network-dependent and service-like features such as URL fetch, Neo4j push, and MCP/watch functionality without a consolidated warning about transmission, exposure, or persistence. Users may assume a local-only graphing tool and inadvertently authorize external communication or broader data handling than expected.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal