ClawHub

alarm-memo-assistant-pro

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed reminder and memo skill that may store notes locally and create scheduled reminders, which matches its stated purpose.

Install this only if you want OpenClaw to manage reminders, notes, todos, and recurring task summaries. Before enabling daily pushes or recurring reminders, confirm where the data files live and how to review, edit, disable, or delete scheduled jobs and stored records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger examples include very common, everyday phrases such as asking to '记一下' or '整理成待办', which can overlap with normal conversation and cause the skill to activate when the user did not intend to create reminders or store data. In a skill that writes notes, todos, or schedules reminders, accidental activation can lead to unintended persistence, unwanted reminders, and confusion about what data was saved.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes daily push delivery and persistent storage behavior but does not clearly warn users that reminders may be automatically sent later and that task/memo data may be stored across sessions. In a scheduling skill, this matters because users may unknowingly enable background-like behavior or retain sensitive personal information in files/session state beyond the immediate chat.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The high-priority trigger list includes very common phrases such as '记一下', '提醒我', and '记录一下', which can cause the skill to activate in ordinary conversation without clear user intent to create or store reminders. In an agent environment with file, cron, or session-send capabilities, this increases the risk of unintended persistence, scheduling, or message delivery based on ambiguous language.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The weak triggers are highly ambiguous phrases tied to general productivity discussion, such as '安排一下' or '帮我列任务', without enough boundary checks. This can lead the agent to enter storage or automation workflows when the user may only want brainstorming or conversational planning, causing unintended data retention or task creation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very broad everyday phrases such as '记一下', '记录一下', and '帮我记住', which can easily appear in normal conversation without the user intending to invoke persistent storage or scheduling behavior. In a skill that can create reminders, memos, or automated pushes, this raises the risk of unintended activation, accidental data capture, and unwanted task creation.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The Daily Digest examples like '今天要做什么' and '发我今日任务' do not clearly separate casual inquiry from activation of scheduled or push-style behavior. In this skill's context, ambiguous routing can cause unintended retrieval of sensitive task data or accidental enrollment into recurring notifications such as '每天 8 点把任务推给我'.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal