Back to skill

Security audit

Personal Aissistant

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed personal planner skill that stores local markdown data and uses OpenClaw cron for reminders, with no evidence of hidden exfiltration or destructive behavior.

Install this only if you want a personal assistant that keeps local todo/habit/birthday markdown files and registers OpenClaw cron jobs for reminders. During onboarding, confirm the timezone and every reminder schedule, and review or disable cron jobs if you no longer want background nudges.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill clearly documents capabilities to read and write markdown data and execute Python scripts via shell, yet it declares no explicit permissions. This creates a transparency and policy-enforcement gap: the agent may perform filesystem and command execution actions that users or platform controls were not adequately warned about or able to constrain.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The invocation text is broad enough to match common planning, todo, habit, and briefing requests, which increases the chance the skill activates outside the user's intended scope. Over-broad routing is risky here because the skill can write files and schedule cron-driven actions, so an accidental invocation may cause persistent state changes or autonomous notifications.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises proactive Telegram nudges and cron-based behavior, but it does not prominently warn that it can send autonomous messages after the conversation ends. This is dangerous because users may not realize they are enabling persistent background actions, leading to surprise notifications, privacy issues, or unwanted ongoing automation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The onboarding instructions tell the agent to run `setup_cron.py`, which modifies persistent system scheduling state, without requiring an explicit user confirmation or warning that cron jobs will be created or updated. In a personal-assistant skill, this creates a real risk of surprise background execution, unintended notifications, or persistence on the host if the action is taken automatically.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.