ClawHub

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This daily briefing skill is purpose-aligned, but it deserves review because it can collect very sensitive personal data and leave a consolidated copy in /tmp.

Review before installing, especially on shared machines or automated setups. Enable only the integrations you need, treat email summaries and cron logs as sensitive, avoid storing mail passwords in plain config where possible, and clean or restrict /tmp/daily_briefing_data.json after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to invoke shell commands (`bash` runner and `curl`) while declaring no permissions. That creates a trust and review gap: operators may approve or install the skill without realizing it executes local scripts and network requests, increasing the chance of unintended command execution in an automation context.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior expands beyond the stated purpose by collecting contacts, reading user config, producing a contacts dataset for semantic email analysis, and adding other data not disclosed in the description. This is dangerous because users may grant access expecting a simple daily briefing while the skill aggregates additional sensitive personal data from contacts, calendars, reminders, and email-related sources.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill sends the user's configured location to `wttr.in` via an external HTTP request, but the documentation does not clearly warn the user that their location data will leave the local system. In a personal assistant context, location can be sensitive, and silent third-party disclosure creates a privacy risk even if the endpoint is legitimate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a local configuration file that may contain sensitive personal settings and an iCloud mail password, then uses those values to drive collection from email and other personal data sources. In a skill intended to generate a briefing this access may be functionally expected, but it is still privacy-sensitive because the file gives no in-script notice, consent check, minimization, or protection boundaries around credential-derived behavior.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script aggregates highly sensitive personal data from Contacts, Calendar, Reminders, and Mail into a single JSON artifact. Even if this is the intended feature of a daily briefing skill, centralizing those sources substantially increases exposure because compromise of the output file or downstream consumer reveals a broad cross-section of the user's private life.

Missing User Warnings

High
Confidence
99% confidence
Finding
The script writes aggregated personal data to predictable paths under /tmp, including a canonical filename, which can expose sensitive data to other local users or processes depending on system configuration and file permissions. Using a world-accessible temporary directory for calendars, emails, contacts, reminders, and birthdays creates a clear confidentiality risk and can also enable symlink or file-replacement attacks if not carefully hardened.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to extract and include email sender/subject information in the final briefing, which may expose private communications in chat replies, cron logs, notifications, or shared terminals. Because the output is designed for automated delivery, even concise summaries can leak sensitive financial, personal, or security-related message contents to unintended viewers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal