ClawHub

Task Protection

Security checks across malware telemetry and agentic risk

Overview

This task-tracking skill is mostly coherent, but it ships a news script with an embedded API key and a fixed Feishu message recipient, so users should review it before use.

Review before installing or running. Remove and rotate the embedded Tavily key, replace the fixed Feishu user ID with explicit user configuration, verify the absolute /home/admin paths, and assume task names, descriptions, logs, errors, generated reports, and newsletters may persist locally until manually cleaned up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documents shell-based execution patterns and operational scripts but does not declare corresponding permissions. This creates a transparency and policy-enforcement gap: an agent or reviewer may underestimate the skill's ability to run commands, touch local state, and trigger side effects. In an agent ecosystem, undeclared shell capability increases the chance of unsafe invocation or bypass of expected approval controls.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is task tracking, but the skill behavior extends into external network access, messaging, system inspection, task-file scanning, and even use of hardcoded secrets and recipient identifiers. This mismatch is dangerous because it hides materially different capabilities behind a benign-seeming description, which can mislead users and automated permissioning into allowing data exfiltration, secret misuse, or unintended system interaction. The hardcoded API key/recipient aspect substantially raises severity beyond a mere documentation issue.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script hardcodes a live-looking Tavily API key directly in source, which can be exposed through source control, backups, logs, or local file disclosure. Anyone obtaining the script can reuse the credential for unauthorized API access, incur cost, and abuse the account tied to that key.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The README describes automatic state tracking, logs, dashboards, and a registry file, but it does not clearly warn users that the skill will create persistent files during normal operation. For a task-management skill, undisclosed persistence can surprise operators, leak task metadata into local storage, and create privacy or cleanup issues, especially when used for sensitive system tasks.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The activation criteria are broad enough to match many ordinary tasks, increasing the chance that the skill will be invoked in contexts where task registration, logging, shell actions, or side effects are unnecessary or inappropriate. Over-broad triggering is risky in agent systems because it expands the situations in which the skill may inspect local state, create files, or initiate external operations under a generalized 'task management' label.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The 'when to use' categories are ambiguous and include broad buckets like critical operations, user-delegated tasks, and long-running work without strict boundaries. In practice this can cause the skill to be over-applied, normalizing logging, file creation, system checks, or outbound actions in contexts where users did not clearly consent to those behaviors.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation tells the AI to directly create persistent task state files and logs in the workspace without any warning, consent boundary, or data minimization guidance. In an agent setting, this can cause unintended retention of user prompts, task metadata, or sensitive operational details on disk, increasing privacy and tampering risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example workflow shows generated content being saved to files and tracked in task state/log files, but it does not warn that task execution may persist user-provided or model-generated content to disk. In this skill context, which covers broad task lifecycle management, such silent persistence can expose private data, create compliance issues, and leave sensitive artifacts behind.

Missing User Warnings

High
Confidence
98% confidence
Finding
A hardcoded API credential is embedded in code and then used for outbound requests without any visible disclosure, approval, or secret-handling controls. In this task skill context, the script is intended for automated recurring execution, which increases the chance the secret is broadly accessible and repeatedly abused if leaked.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal