ClawHub

Session Manager - 会话管理

Security checks across malware telemetry and agentic risk

Overview

This skill includes useful session cleanup, but it should be reviewed because its proxy features can change system Nginx configuration and expose access tokens.

Install only if you need both session cleanup and the Nginx proxy features. Use dry-run before cleanup, confirm the retention settings, and avoid the proxy scripts unless you are comfortable with sudo changes to Nginx. Do not pass tokens on the command line, and be aware the current proxy implementation stores the token in Nginx config and redirects clients to a URL containing that token.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as session cleanup/management, but the declared scripts also include proxy setup and user creation, which are materially broader capabilities. This mismatch can mislead users and reviewers about the skill's true behavior, increasing the chance that higher-risk operations are installed or executed without informed consent.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script claims the token will not be logged, but the generated Nginx config performs a 302 redirect to a URL containing `token=$TOKEN` in the query string. Query-string secrets are commonly exposed via browser history, intermediary logs, referrer leakage, and upstream/server access logs, so this directly undermines token confidentiality.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The README states that install.sh automatically creates a cron job for daily cleanup without clearly warning that session data may be deleted automatically. In a session-management context, silent scheduling of destructive actions increases the risk of unintended data loss, especially if users install the skill expecting only monitoring or manual cleanup.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script accepts the token as a positional command-line argument and forwards it to another script. Command-line arguments can be exposed through shell history, process listings, job-control tools, or monitoring systems, so a valid credential may be disclosed to other local users or logs.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal