ClawHub

contextstable

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local writing-context helper, but users should treat saved sessions, exports, and dependencies with normal privacy and supply-chain caution.

Install this in a virtual environment, pin and review dependency versions before serious use, and expect local files to be created when using save_session, export_story, or configured auto-save. Do not save private manuscripts on shared machines, and do not load session/cache files from untrusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill documentation demonstrates file persistence capabilities through session save/load and export features, but the metadata declares no permissions. Undeclared file read/write capability creates a trust gap: hosts may install or execute the skill without understanding it can access local storage, which can lead to unauthorized reading of saved data or overwriting files if the implementation is permissive. In this context, the danger is increased because the skill is designed to process long user-provided text and conversation history, which may contain sensitive content that gets stored to disk.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
This class for prompt/context stabilization also exposes persistent save/load and export functionality, which expands its capabilities beyond the stated purpose and increases the chance of unintended data retention or exfiltration of story/history content. In an agent-skill setting, filesystem write/read features are security-relevant because long text, prompts, anchors, and generation history may contain sensitive user data and can be persisted without clear trust boundaries in this file.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Local filesystem persistence is not obviously necessary for 'context-stable continuation' and therefore represents unnecessary attack surface and privacy risk. In this context, saved config/history files can preserve sensitive prompts, generated text, and story state across sessions, making accidental disclosure or misuse more likely.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The code can persist full prompts, generated text, character state, and plot timeline to caller-controlled local paths, which goes beyond the narrowly described purpose of context-stable continuation generation. In an agent environment, this creates a data exposure risk because potentially sensitive user inputs and model outputs may be written to disk without clear scoping, minimization, or consent controls.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The import/export functions allow reading from and writing to arbitrary local file paths, which expands the skill's capabilities beyond text continuation into local filesystem interaction. Even without direct exfiltration code, this increases the attack surface because an upstream agent or user-controlled parameter could cause sensitive local data to be loaded or conversation data to be written to unintended locations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The session-saving logic writes configuration and history to disk with no user-facing warning or consent mechanism visible in this file. Because history likely contains prompts, generated text, anchors, and consistency results, silent persistence can surprise users and create privacy, compliance, or data-leakage issues in environments where agents are expected to be ephemeral.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The embedding cache persists user-derived content representations and timestamps to disk via pickle without any disclosure, consent, retention control, or access protection in this code path. In a long-form writing/context skill, cached embeddings are likely derived from sensitive user prompts or manuscript content, so local persistence can create privacy leakage, forensic recoverability, and unintended cross-session data retention risks.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
When auto_save is enabled, each added record may be written to disk automatically, including prompts and generated content, without any visible user disclosure or consent mechanism in this code. In practice, this can silently retain sensitive conversation material and create privacy/compliance issues, especially in shared or multi-tenant execution environments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The serialization routine writes the complete history, including user prompts, generated text, character state, and timeline data, to disk as plaintext JSON. This is dangerous because it stores potentially sensitive or proprietary content in a durable form without minimization, access control, or warning, making accidental disclosure more likely.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The export function can write the full story and original prompts to a chosen file, including in JSON form that preserves chapter-by-chapter prompt/content pairs. That can expose sensitive user instructions or private generated material if exported unintentionally, to an unsafe path, or in an environment where local files are accessible to other processes/users.

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain>=0.1.0
langchain-community>=0.0.10
sentence-transformers>=2.2.0
faiss-cpu>=1.7.4
Confidence
95% confidence
Finding
langchain>=0.1.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain>=0.1.0
langchain-community>=0.0.10
sentence-transformers>=2.2.0
faiss-cpu>=1.7.4
pydantic>=2.0.0
Confidence
95% confidence
Finding
langchain-community>=0.0.10

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain>=0.1.0
langchain-community>=0.0.10
sentence-transformers>=2.2.0
faiss-cpu>=1.7.4
pydantic>=2.0.0
Confidence
90% confidence
Finding
sentence-transformers>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain>=0.1.0
langchain-community>=0.0.10
sentence-transformers>=2.2.0
faiss-cpu>=1.7.4
pydantic>=2.0.0
Confidence
90% confidence
Finding
faiss-cpu>=1.7.4

Unpinned Dependencies

Low
Category
Supply Chain
Content
langchain-community>=0.0.10
sentence-transformers>=2.2.0
faiss-cpu>=1.7.4
pydantic>=2.0.0
Confidence
95% confidence
Finding
pydantic>=2.0.0

Known Vulnerable Dependency: langchain — 10 advisory(ies): CVE-2023-36258 (langchain arbitrary code execution vulnerability); CVE-2026-45134 (LangSmith SDK: Public prompt pull deserializes untrusted manifests without trust); CVE-2024-2965 (Denial of service in langchain-community) +7 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
langchain

Known Vulnerable Dependency: langchain-community — 9 advisory(ies): CVE-2024-2965 (Denial of service in langchain-community); CVE-2024-8309 (Langchain SQL Injection vulnerability); CVE-2024-5998 (LangChain pickle deserialization of untrusted data) +6 more

Critical
Category
Supply Chain
Confidence
97% confidence
Finding
langchain-community

Known Vulnerable Dependency: pydantic — 3 advisory(ies): CVE-2021-29510 (Use of "infinity" as an input to datetime and date fields causes infinite loop i); CVE-2024-3772 (Pydantic regular expression denial of service); CVE-2021-29510 (Pydantic is a data validation and settings management using Python type hinting.)

High
Category
Supply Chain
Confidence
90% confidence
Finding
pydantic

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal