ClawHub

ErgoCare Coach

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed desk-health reminder skill, but users should review generated scripts before running them or enabling startup behavior.

Install is reasonable for personal desk reminders, but treat any generated bash or PowerShell as executable code. Review it before running, prefer normal user privileges, test stop/pause/status behavior, enable startup only intentionally, and avoid silent or team-wide deployment without IT approval, user notice, and rollback instructions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly encourages the skill to generate executable background scripts and configure them to run automatically at startup, but it does not warn users that these scripts will persist, continue running unattended, and may modify user startup behavior. In a skill whose core feature is script generation, that omission increases risk because users may execute generated code with an incomplete understanding of persistence and notification side effects.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The team deployment example promotes rolling out reminder scripts to a 50-person team without any warning about organization-wide execution, user consent, operational disruption, or centralized script review. At enterprise scale, even benign notification scripts can create fleet-wide persistence, noisy system-wide notifications, and trust issues if deployed without controls.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill uses very broad invocation examples such as generic health and exercise requests, which can cause it to trigger outside its intended narrow scope. In practice, that increases the chance the agent routes ordinary medical-symptom or wellness queries to this skill, despite the skill also offering script generation and health guidance that may be inappropriate without clearer boundaries.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The interactive examples overlap with common everyday health queries like eye pain, back pain, and what exercises to do, which are likely to collide with unrelated general-health requests. Because this is a health-themed skill, ambiguous routing is more dangerous than usual: users may receive non-clinical ergonomic advice when they actually need medical guidance or a more appropriate general-health workflow.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal