ClawHub

Ops Reports

Security checks across malware telemetry and agentic risk

Overview

This skill saves and summarizes local operations standup notes as advertised, with no evidence of hidden execution or data leaving the machine.

Install only if you are comfortable storing standup notes locally under ~/.ops-commander. Avoid entering confidential incident, customer, credential, or personnel details unless local retention is acceptable, and periodically delete old files if you do not want ongoing history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly persists standup responses to a local file in the user's home directory, but the instructions do not require any user-facing disclosure or consent before storing potentially sensitive operational updates. Standup content commonly includes project status, blockers, escalations, and internal incident details, so silent persistence creates a real privacy and data-handling risk even if the feature appears intended.

Session Persistence

Medium
Category
Rogue Agent
Content
2. What is planned for today?
3. Any blockers or escalations?

Save entries to `~/.ops-commander/standups/YYYY-MM-DD.json`. Create directories on first use.

## Task Summary
On `ops summary`: read `~/.ops-commander/tasks.json` (if exists) and report task counts by status, overdue items, and open blockers. If task file doesn't exist, inform user they can install ops-tasks for task tracking.
Confidence
89% confidence
Finding
Create directories on first use. ## Task Summary On `ops summary`: read `~/.ops-commander

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal