ClawHub

Daily Rhythm

Security checks across malware telemetry and agentic risk

Overview

The skill discloses its planning, task, Stripe, and cron features, but it needs review because it uses sensitive Google and Stripe credentials with hard-coded local paths and recurring automation.

Install only after editing the scripts for your own workspace paths, removing the /Users/tom dependency path, and deciding which integrations you actually need. Use restricted Google and Stripe credentials, avoid committing .env.stripe or token files, review the local memory files, and add only cron jobs you understand and can remove later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents capabilities to read/write local files, use environment-provided secrets, and access external networks, but it does not declare corresponding permissions or clearly bound those actions. This creates a transparency and consent problem: users may enable a routine/planning skill without realizing it will access OAuth credentials, Stripe keys, local memory files, and external APIs on a schedule.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The advertised purpose is daily planning and reflection, but the behavior includes business-metric syncing, Google Tasks export, Stripe ARR retrieval, and persistent state updates. That mismatch is dangerous because it can trick users into authorizing broader data access than expected, especially for financial and personal task data, under the guise of a simple productivity routine.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The template instructs the agent to use multiple external integrations—Telegram/WhatsApp/Signal, Google Tasks, Stripe ARR, calendar ICS, and weather—despite the skill being described as a daily planning and reflection tool. This broadens data access and outbound communication scope beyond user expectations, increasing the risk of unnecessary data exposure, unauthorized messaging, and over-privileged behavior.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Collecting or syncing Stripe ARR introduces access to sensitive business financial metrics that are not necessary for a routine, reflection, or sleep-coaching workflow. In this context, the mismatch is especially concerning because it creates unjustified exposure of commercial data and may normalize pulling sensitive information into daily messages or memory without a clear need.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The configuration broadens a daily routine skill into business revenue monitoring by syncing Stripe ARR, which introduces access to financial data and payment-system credentials unrelated to the core scheduling/reflection purpose. This expands the skill's privilege and data exposure surface without a strong functional justification, increasing the chance of unnecessary secrets handling and accidental leakage.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The guide instructs users to obtain and use a live Stripe API key for ARR tracking even though the skill is described as a daily routine/planning system. Asking for production payment credentials in this context is dangerous because it normalizes over-privileged secret use and could expose sensitive business data if the workspace, scripts, or logs are compromised.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The morning brief script invokes a Stripe ARR synchronization step even though the skill is described as a daily planning and reflection assistant. That creates unjustified access to business-sensitive revenue data and expands the skill’s privilege scope beyond user-expected behavior, increasing the chance of inappropriate data exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Accessing Stripe ARR data from a routine/planning skill is a capability mismatch and violates least-privilege expectations. Even without overt exfiltration in this file, pulling payment analytics into an unrelated automation can expose sensitive commercial information to logs, downstream prompts, or other components that were never intended to handle it.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script performs bulk synchronization of Google Tasks data and exports detailed task contents to a local memory file, which goes beyond the stated daily-planning/reflection behavior and expands the skill’s data-access surface. In this context, the mismatch matters because task titles, notes, due dates, and links can contain sensitive personal or work information, and the code persists that data without clear scope justification or minimization.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code introduces an external Google OAuth/API integration even though the skill description presents a routine-coaching function rather than a third-party account integration. That discrepancy increases risk because users may not expect account linking, token handling, or remote data retrieval, making consent and trust boundaries unclear.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file performs Stripe subscription retrieval, ARR calculation, and customer tracking, which is unrelated to the declared daily-planning and reflection purpose of the skill. Capability/scope mismatch is dangerous because it can hide undisclosed access to financial systems inside an innocuous skill, increasing the likelihood of covert data collection or unauthorized business telemetry.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code introduces finance API access using a Stripe API key and persists ARR/customer metrics despite the skill being presented as a daily routine assistant. In this context, undeclared billing access is especially suspicious because users and reviewers would not expect financial-data handling, making unauthorized access harder to notice and easier to abuse.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger language is broad enough to match ordinary productivity or scheduling conversation, increasing the chance the skill is invoked in contexts where the user did not intend automation, data syncing, or background scheduling. In a skill with network access, file writes, and persistent cron setup, overbroad activation raises the risk of unintended execution and surprise data handling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The feature/setup text describes automation and data integrations, but it does not prominently warn users that personal task data, calendar data, daily reflections, and business metrics may be stored locally and processed on a recurring schedule. Missing disclosure undermines informed consent and increases privacy risk when the skill persists sensitive routine and productivity data over time.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template directs saving a user's wind-down response to persistent memory without any notice, retention policy, or privacy warning. Because these reflections can contain sensitive personal, emotional, health-adjacent, or schedule information, silent persistence increases privacy risk and can violate user expectations about ephemeral coaching interactions.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The instructions tell users to place a live Stripe secret key in a plaintext `.env.stripe` file in the workspace and provide no guidance on access controls, encryption, or exclusion from version control. Plaintext storage of production API secrets materially increases the risk of credential theft through accidental commits, local compromise, backups, or other tools reading workspace files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes synced Google Tasks data, including task titles, notes, due dates, and links, to a local JSON file without any warning or consent about persistent storage. This is dangerous because task contents often contain sensitive personal, health, financial, or work details, and local persistence increases exposure to other local users, backups, or later misuse by other components.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
OAuth tokens are serialized to disk without any explicit warning that credentials will persist locally beyond the session. Persisted tokens can allow continued access to the user’s Google Tasks account if the local machine, workspace, or files are exposed, especially since there is no visible hardening of file permissions or secret storage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script writes customer_ids and revenue-related data to a local memory directory without any notice, consent, retention controls, or access restrictions. Even though it stores IDs rather than full customer records, these identifiers and business metrics are sensitive and can enable customer enumeration, profiling, or leakage of commercial performance if the filesystem is exposed.

Session Persistence

Medium
Category
Rogue Agent
Content
Option A: System Cron (Traditional)
```bash
crontab -e

# Add these lines:
0 7 * * * cd /path/to/workspace && python3 skills/daily-rhythm/scripts/sync-stripe-arr.py
Confidence
93% confidence
Finding
crontab -e

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal