ClawHub

daily-rhythm

Security checks across malware telemetry and agentic risk

Overview

This daily planning skill is mostly disclosed, but its optional business-metrics path uses broad subscription access and stores customer identifiers locally without enough scoping or privacy guidance.

Install only after reviewing the scripts and deciding whether you need the optional ARR feature. If you do not need business metrics, do not set SKILLBOSS_API_KEY or schedule sync-stripe-arr.py. Keep Google credentials, API keys, and ICS URLs out of shared folders and repositories, review the cron entries before enabling them, and periodically delete or protect the local memory files that may contain tasks, reflections, calendar-derived data, ARR, and customer identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documents capabilities to read/write local files, use environment variables, and make network calls, but it does not declare those permissions. That creates a transparency and consent problem: users may install a seemingly harmless planning skill without realizing it accesses Google Tasks, external APIs, and local memory files on a schedule.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The declared purpose emphasizes daily planning and reflection, but the documented behavior also includes pulling subscription/business data, calculating ARR, and writing metrics to local state. This mismatch is risky because users may not expect a personal routine skill to access potentially sensitive business/admin data, increasing the chance of over-privileged deployment and uninformed consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The template expands a daily planning skill into business financial reporting by syncing and surfacing Stripe ARR. That introduces access to sensitive commercial data that is not clearly necessary for the declared routine/reflection purpose, increasing the chance of over-privileged integrations and unintended disclosure in outbound messages.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Using Stripe ARR in a daily rhythm template is context-inappropriate because it pulls sensitive financial metrics into a personal productivity workflow without a strong functional need. That mismatch makes accidental exposure more likely, especially when the same brief is sent over consumer messaging platforms and combined with other personal data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The morning brief script for a daily routine skill invokes `sync-stripe-arr.py`, which synchronizes business revenue metrics unrelated to the declared purpose of planning, routines, or reflection. This introduces unnecessary access to sensitive business systems and expands the skill's data and permission scope beyond user expectations, creating a meaningful risk of unauthorized data exposure or covert exfiltration.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
A daily-rhythm assistant should not need external business API synchronization to generate a morning brief, so this capability is unjustified in context and materially increases attack surface. If the script or its dependencies are abused, compromised, or misconfigured, they could access or leak sensitive commercial data through an automation path the user would not reasonably associate with a personal routine skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This script pulls data from Google Tasks and exports it into a local memory file, which materially expands the skill from prompting/planning into external account access and bulk data collection. In the context of a daily-routine skill, that scope expansion is risky because task titles, notes, due dates, and links may contain sensitive personal or work information that is copied into another storage location without clear necessity or user approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code initiates OAuth access to Google Tasks even though the skill is described as a daily planning and reflection assistant, not an external account integration. That mismatch increases the risk of over-privileged behavior and unexpected data access, especially because users may not anticipate being asked to authorize a third-party service for a routine-planning skill.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file performs Stripe/ARR subscription syncing, customer counting, and revenue persistence even though the skill is described as a daily routine and reflection tool. This capability mismatch is a strong indicator of hidden behavior because it grants access to sensitive business and customer billing data with no plausible relationship to the advertised functionality.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code uses privileged API credentials to call admin subscription endpoints and process revenue-related customer data, which is unjustified for a daily-rhythm assistant. In this context, the mismatch makes the capability more dangerous because users and reviewers would not expect hidden access to subscription administration inside a productivity skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script persists ARR, customer counts, and customer identifiers into local memory/state files unrelated to the declared daily-planning behavior. Storing business-sensitive subscription data in a general workspace increases exposure, enables later misuse by other components, and is especially suspicious because the user would not expect such data collection from this skill.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly describes automated retrieval of calendar, task, weather, and optional ARR data, plus automatic saving of wind-down content into tomorrow's brief, but it does not clearly warn users that personal data will be accessed, stored, and modified on a schedule. In an automation skill handling daily routines, this omission can lead to uninformed consent and unexpected privacy or state changes, especially when cron jobs run unattended.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The setup and feature descriptions normalize automatic syncing with external services but do not clearly warn that user data will be transmitted to Google and possibly SkillBoss, then persisted locally. Missing privacy disclosures can lead users to expose task, calendar, and business data without understanding retention, transmission, or access boundaries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The weekly review flow says it will create tasks in Google Tasks automatically, which means the skill can modify external user data. Without a clear warning and confirmation step, users may unintentionally authorize writes to their task account and end up with unwanted or incorrect task changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template instructs saving user responses to memory files without any visible notice about retention, sensitivity, or later reuse. Reflection and planning answers may contain personal, emotional, health, or schedule information, so silent persistence creates privacy and consent risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Automatically creating Google Tasks modifies external user data, but the template does not mention confirmation, consent, or scope boundaries. In a planning skill, users may expect suggestions, not direct writes to connected services, so silent task creation can lead to unauthorized or unexpected changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide instructs users to obtain OAuth credentials and API keys and store them locally or in environment variables, but gives no warnings about secret handling, file permissions, rotation, or exposure risk. In practice, this can lead users to place long-lived credentials in predictable locations where other local processes, backups, logs, or accidental commits could expose them.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation asks users to add a private ICS URL and configure recurring cron jobs, but does not warn that ICS links often function as bearer secrets and that cron creates ongoing background collection of calendar and routine data. If the URL is leaked or the automation is enabled without informed consent, private schedule information can be continuously exposed or processed unexpectedly.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes synchronized task data to a predictable local JSON file under the user's workspace without any visible warning, retention policy, or access control. Persisting task titles, notes, due dates, and links can expose sensitive personal data to other local processes, backups, or users of the same machine, making the daily-routine context more dangerous because users are likely to store highly personal reminders there.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code writes subscription-derived customer data to local files without any visible user disclosure, consent flow, or data-retention controls. Even if intended for internal metrics, this creates an undisclosed collection and persistence path for sensitive business/customer information.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The function performs authenticated outbound API calls without any indication that users are informed that the skill may contact external services using privileged credentials. In a daily-rhythm skill, undisclosed external communications are more concerning because they are outside user expectations, even if the destination appears legitimate.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal