ClawHub

alexey-proactive-agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives a proactive agent broad memory, monitoring, cleanup, and automation behaviors without enough consent boundaries.

Install only if you intentionally want a highly proactive, memory-heavy assistant. Before using it, gate or remove automatic cleanup, BOOTSTRAP.md deletion, email/calendar checks, spawned agents, autonomous cron work, and broad transcript logging. Review the created memory files regularly, avoid storing secrets or sensitive personal details, and require explicit approval before any external, destructive, or background action.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (33)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
These rules authorize broad actions such as web searching, checking calendars, and working freely within the workspace without a clear task-bound activation condition. In a proactive agent, this can expand behavior beyond the declared purpose and increase the chance of unnecessary data access or unintended side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat section turns the skill into an ongoing monitoring agent for emails, calendar events, logs, and ideas, which materially expands its operational scope. Persistent autonomous checking increases privacy risk and can lead to surveillance-like behavior or actions based on sensitive data absent a fresh user prompt.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Telling the agent to use 'every tool' including browser, web search, CLI, and spawned agents encourages unbounded capability escalation when facing blockers. This is dangerous because it removes proportionality and can cause the agent to access external systems, leak context to subagents, or perform risky operations not required by the original task.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The instruction 'Don't ask permission. Just do it.' conflicts with later safeguards that require approval for deletion, external actions, and security changes. Conflicting directives are dangerous because agents may follow the more general autonomy instruction and bypass the narrower safety checks in ambiguous situations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat instructs the agent to autonomously close applications, manage browser tabs, and move desktop files to trash. These are system/UI actions that can disrupt user work or delete data, and they are not bounded by explicit consent, confirmation, or tight safety criteria, making accidental harmful behavior plausible.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill directs periodic checking of emails, calendar, and projects, which gives the agent ongoing access to sensitive personal and business information beyond the minimal scope implied by a generic proactive assistant. Without explicit privacy boundaries, this can expose confidential communications, schedules, and work details to unnecessary processing or misuse.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The onboarding reference expands the agent's post-onboarding behavior to 'build things' for the user based on inferred usefulness, which exceeds narrow onboarding and can normalize autonomous action beyond clearly consented scope. In a proactive-agent skill, this broad delegation increases the chance of unintended actions being taken under ambiguous user intent, even though the text also says external actions should be checked first.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill uses broad activation language like anticipating needs, proactive check-ins, and creating value without being asked, which can cause the agent to act in ordinary conversation without a tightly scoped trigger. In an agent with tools or persistent memory, this raises the risk of unintended data collection, unsolicited actions, and user surprise about when the skill is active.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The description emphasizes memory that persists and compounds knowledge over time, but it does not clearly warn users that personal context may be stored across sessions. This creates a privacy and transparency risk because users may disclose sensitive information without understanding retention behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The WAL trigger conditions are so broad that they will activate on routine conversation, causing the agent to persist large amounts of user input by default. This increases privacy risk, unnecessary retention, and the chance that sensitive details are written to durable files without clear necessity or consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill directs the agent to automatically populate persistent memory files from onboarding answers and ongoing conversation without a clear user-facing privacy notice or consent flow. That creates a meaningful risk of collecting and retaining personal data users may reasonably expect to remain ephemeral within chat.

Missing User Warnings

High
Confidence
99% confidence
Finding
The Working Buffer protocol requires logging every exchange after a context threshold, effectively creating transcript retention without clear disclosure, minimization, or sensitivity filtering. This can capture secrets, confidential business content, or personal data far beyond what is necessary for continuity.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The WAL trigger tells the agent to scan every message for extremely common conversational patterns like corrections, preferences, names, numbers, and decisions, then persist them before responding. This creates an overly broad activation surface where routine conversation can trigger file writes and state changes, which is risky because it normalizes indiscriminate persistence of sensitive user content.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The compaction-recovery trigger includes very common phrases such as 'continue' and 'where were we?', which can activate recovery logic during ordinary conversation. In practice this can cause unnecessary file reads, memory recovery actions, and persistence workflows based on ambiguous language rather than deliberate user intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
This directive broadly encourages action without clear activation constraints, task boundaries, or definitions of what counts as safe autonomous behavior. In practice, that can prompt the agent to initiate reads, edits, or monitoring absent a concrete user request, increasing the risk of overreach.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The first-run instruction says to follow BOOTSTRAP.md and then delete it, but provides no user-facing warning or approval step. Because BOOTSTRAP.md is untrusted content from the workspace, this combines execution of potentially adversarial instructions with immediate destruction of evidence or recovery material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cleanup guidance includes destructive or disruptive actions such as closing apps and moving old screenshots to trash, but provides no requirement for warning, backup, or confirmation. In practice this can cause data loss, loss of unsaved work, and user confusion, especially in an automated heartbeat context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Periodic review of emails, calendar, and projects is a privacy-sensitive activity, yet the skill provides no warning, consent language, retention limits, or access controls. This normalizes continuous monitoring of sensitive data without transparency, increasing the risk of overcollection and privacy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This template explicitly encourages storing long-term memory about a human, including preferences, important dates, relationships, and lessons learned, but provides no warning about collecting or retaining sensitive personal data. In an agent skill designed to be proactive and continuously improve, this omission increases the likelihood that operators will persist unnecessary personal or confidential information without consent, minimization, retention limits, or review safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The onboarding flow explicitly collects sensitive personal context such as timezone, goals, work context, and key people, then states that the agent will persist that data into USER.md and SOUL.md. There is no explicit warning about data retention, scope of use, consent for persistence, or guidance on minimizing sensitive entries, which creates a privacy and data-handling risk if users share more than intended.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The template explicitly documents a credential storage location and gives an example secret file, while only saying 'not the credentials themselves' later and without a prominent warning about sensitive data handling. In an agent-oriented skill, this can normalize secret discovery and documentation patterns, increasing the chance that users record, surface, or accidentally expose credential material to the agent or in generated artifacts.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This template explicitly encourages collecting broad personal information about a user, including goals, relationships, preferences, and lifestyle context, but provides no guidance on minimizing data collection, avoiding sensitive categories, obtaining consent, or handling retention and access. In a proactive agent skill, this creates a meaningful privacy risk because the agent is incentivized to accumulate detailed user profiles that may be unnecessary for many tasks and could later be exposed, misused, or over-relied on.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to save answers and inferred user information into ONBOARDING.md, USER.md, or SOUL.md without informing the user that their data will be recorded and retained. This undermines informed consent and can expose personal preferences, goals, and identity details to unintended reuse or later disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The opportunistic learning section directs the agent to extract personal details from ordinary conversation and write them into USER.md without a clear user warning. Because the collection is covert from the user's perspective, it creates a meaningful privacy risk and can lead to unexpected profiling across sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The onboarding flow explicitly says the agent learns from natural conversation and updates persistent profile files like USER.md and SOUL.md. This encourages passive collection and long-term storage of user context, including information the user may not realize is being formalized into durable records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal