ClawHub

clipboard-manager-tool

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward clipboard-history skill that stores saved clipboard entries in a local plaintext workspace file, with no evidence of hidden collection or exfiltration.

Install only if you are comfortable letting the agent read or change your clipboard on request. Avoid saving passwords, API keys, tokens, private messages, or proprietary text, and consider ignoring or regularly deleting clipboard-history.md so saved entries are not committed or shared accidentally.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises clipboard history storage plus set/clear operations without warning that copied data may be persisted locally and may include sensitive secrets such as passwords, tokens, or personal data. In a clipboard-management skill, users are especially likely to handle sensitive transient content, so lack of disclosure and overwrite warnings can lead to unintentional retention, exposure, or destructive replacement of clipboard data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description is broad enough that the skill may activate for ordinary requests involving copying, pasting, or clipboard history without making clear that data will be persisted to a workspace file. Because clipboard contents often include secrets, credentials, or personal data, overbroad activation increases the chance of unintended collection or storage of sensitive information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill states that clipboard history is stored in `clipboard-history.md` in the workspace root but does not warn the user that clipboard data will be written to a persistent, potentially shared file. This is dangerous because clipboard contents frequently contain passwords, API keys, tokens, internal URLs, or personal information, and storing them in the workspace can expose them to other tools, commits, backups, or collaborators.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documented `clear` command is destructive and is presented without any warning, confirmation step, or note that history will be permanently removed. This can lead to accidental loss of clipboard records, which may disrupt user workflows and could erase information needed for auditing or recovery.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script saves raw clipboard contents directly to a persistent markdown file on disk, which can silently capture secrets such as passwords, API keys, tokens, private messages, or customer data. In a clipboard-management skill, this is especially risky because users often copy sensitive material transiently and may not expect durable local storage or later searchability.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal