ClawHub

Proactive Agent Andy27725

Security checks across malware telemetry and agentic risk

Overview

This is a coherent proactive-assistant skill, but it asks for broad persistent memory, background monitoring, and local-environment actions without enough user control.

Install only if you explicitly want an agent that keeps long-term personal memory and performs proactive background checks. Before using it, disable or tightly scope email/calendar monitoring, autonomous crons or spawned agents, app/tab/file cleanup, and automatic memory capture. Avoid storing secrets or highly sensitive personal information, and regularly review or delete generated memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This section instructs the agent to create an autonomous cron job that will generate future system events without a fresh user request. That expands the skill from passive guidance into persistent autonomous behavior, which can surprise users, create unwanted prompts, and become a foothold for broader unattended actions in environments where cron payloads are powerful.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages using browser, web search, CLI, and spawning agents as fallback behavior under 'relentless resourcefulness' without task-scoped authorization boundaries. That expands the agent's operational surface beyond passive assistance into potentially unsafe external actions, especially when paired with proactive behavior and persistence features.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instruction to create a weekly cron job introduces autonomous scheduled execution that can act without a contemporaneous user request. In a skill centered on proactivity and self-improvement, scheduled triggers materially increase the chance of unsupervised actions, data processing, or recurring outreach.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The operating rules authorize broad actions like web searching, checking calendars, and working freely within the workspace, which goes beyond the stated purpose of a proactivity/improvement skill and expands the agent’s behavioral scope. Even though some guardrails are present, this creates unnecessary authority that could be abused or cause overreach in deployments where email/calendar/workspace access is available.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat section instructs the agent to monitor emails and calendars and decide when to reach out, introducing surveillance-like behavior and autonomous initiation unrelated to the core skill description. This increases privacy and boundary risks, especially because these are sensitive data sources and the polling behavior can occur without a fresh user request.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instruction to use every tool, including CLI, browser, web search, and spawning agents, is a broad capability escalation directive with no task-based restriction. In practice, this encourages uncontrolled exploration and multi-tool chaining that can amplify mistakes, bypass intended approvals, or increase attack surface when the agent encounters adversarial content.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This section explicitly instructs the agent to modify the user's local environment by closing apps, cleaning browser tabs, and moving files to trash during periodic heartbeats. That materially expands the skill from proactive assistance into autonomous system administration and workspace manipulation, creating risk of data loss, workflow disruption, and actions taken without contemporaneous user approval.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The heartbeat directs proactive inspection of emails, calendar, projects, and ideas on a recurring basis, which broadens the skill into ongoing monitoring of personal operational data. For a proactive assistant, this may be thematically related, but without explicit consent boundaries, access scoping, or privacy controls, it encourages unnecessary surveillance-like behavior.

Context-Inappropriate Capability

Low
Confidence
80% confidence
Finding
The log-review command encourages reading local application logs from /tmp/clawdbot/*.log, which is a capability not clearly justified by the stated proactive-partner purpose. While framed as self-healing, it still expands local file inspection and could expose sensitive operational or user data captured in logs.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
These instructions direct the agent to close apps, curate browser tabs, and move screenshots to trash, all of which alter the user's environment and can be destructive. Because they are embedded in a periodic checklist rather than an explicitly requested task, they normalize autonomous actions that may interrupt active work or delete information the user expected to keep.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The onboarding reference expands the agent’s post-onboarding behavior into proactive task initiation, including 'build things I think you'll find useful.' That broadens scope from profile collection into autonomous action without clear authorization boundaries, creating a risk that the agent performs unintended work based on inferred preferences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill prominently advertises memory persistence and auto-population of user profiles, but it does not present a clear up-front warning that personal conversation-derived data will be written to files. This creates consent and privacy risk because users may disclose sensitive information without realizing it is being retained long-term in workspace artifacts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Scanning every message for broad categories like corrections, preferences, names, and specific values creates a very low threshold for activating stateful workflows. This can cause the agent to persist sensitive information or alter task state from ordinary conversation, increasing privacy and prompt-manipulation risk.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The compaction recovery auto-triggers rely on vague phrases and subjective conditions such as 'you should know something but don't,' which can be invoked accidentally or through adversarial prompting. That can cause unnecessary file reads, state restoration, or overconfident recovery behavior from untrusted cues.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The working buffer protocol directs the agent to append every message after a context threshold, including both user content and agent summaries, into persistent storage. This is a clear data retention risk because users are not prominently warned that ordinary conversation may be logged wholesale to workspace files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The memory architecture directs broad persistence of user context, goals, preferences, and identity-related material across files such as USER.md and SOUL.md without clear consent or minimization controls. In practice this creates a durable repository of personal data that could later be exposed, misused, or searched by other workflows.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The WAL trigger instructs the agent to scan every user message for broad categories like corrections, preferences, names, and specific values, then persist them before responding. This creates an always-on capture mechanism that can over-collect sensitive data and can be manipulated by adversarial content to induce storage of secrets or untrusted instructions in durable memory.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The compaction recovery auto-trigger includes vague phrases such as 'continue' or 'where were we?' that can occur in ordinary conversation and cause recovery actions to fire without sufficient context. In practice this can prompt unnecessary file reads and state reconstruction from stored logs, increasing the chance of exposing prior sensitive context or acting on stale state.

Vague Triggers

Medium
Confidence
91% confidence
Finding
'Don't ask permission. Just do it.' is an overbroad autonomy instruction that can cause the agent to take actions before clarifying scope, consent, or sensitivity. Although later sections add some safety checks, this early directive pushes toward action-first behavior and can override cautious decision-making in ambiguous situations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The first-run instruction says to follow BOOTSTRAP.md and then delete it, which authorizes file deletion and execution of bootstrap instructions without any user-facing warning or confirmation. Because BOOTSTRAP.md could contain sensitive setup logic or be modified adversarially, automatic deletion also removes evidence and impairs auditability.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cleanup checklist includes potentially destructive actions without a user-facing warning, confirmation flow, or safe-failure guidance. Even if intended as productivity help, closing applications, changing browser state, and trashing files can cause loss of unsaved work or removal of useful artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions encourage periodic inspection of emails, calendar, and projects without any explicit privacy warning or consent notice. In a proactive-assistant context this is adjacent to the skill's purpose, but recurring access to sensitive personal data without clear user authorization increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This template explicitly encourages storing highly sensitive personal data, including preferences, important dates, ongoing context, and relationship information, but provides no privacy warning, minimization guidance, consent requirement, or handling restrictions. In a proactive agent context with long-term memory, this increases the likelihood of over-collection, retention of unnecessary personal data, and accidental exposure or misuse of sensitive information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file solicits sensitive personal and professional context, including identity, timezone, goals, work projects, and key relationships, then instructs the agent to persist that information into local profile files without any consent flow, retention limit, access warning, or data-handling guidance. In a proactive agent skill, this creates a real privacy and safety risk because the agent is explicitly designed to accumulate longitudinal user context that could later be exposed, overused, or used in ways the user did not fully expect.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'drip mode' behavior authorizes the agent to ask onboarding questions 'naturally over several days' without a precise trigger, scope limit, cadence, or revocation mechanism. In the context of a proactive agent, that ambiguity can lead to unsolicited collection of personal information during unrelated interactions, blurring consent boundaries and making it easy for the agent to keep probing after the user intended to defer or skip onboarding.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal