ClawHub

Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it gives a proactive agent broad memory, background, and local-system authority that users should review carefully.

Install only if you are comfortable with a proactive agent keeping local profile and conversation memory. Before using it, require explicit approval for email/calendar access, app or tab cleanup, deleting or trashing files, background sub-agents, cron jobs, security changes, and anything external; also review or delete the memory files it creates regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (36)

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This section authorizes expansive autonomous behavior: broad web/GitHub/forum research, trying many approaches, and spawning research agents. In a skill framed as a behavioral pattern, that materially widens the agent's operational scope and can lead to unbounded external interaction, increased exposure to prompt-injection sources, and unexpected actions or costs without clear human approval gates.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The heartbeat checklist includes host-environment actions like closing apps, cleaning browser tabs, and moving screenshots to trash. Those actions exceed a proactive-assistant pattern and create direct opportunities for destructive or privacy-impacting changes on the user's system, especially if triggered automatically on a schedule.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill explicitly encourages broad external execution and orchestration ('Use every tool: CLI, browser, web search, spawning agents') despite being framed primarily as a proactive-memory architecture. That expands operational authority and attack surface in ways not tightly scoped by the manifest, making prompt-injection, unsafe tool use, and unintended autonomous actions more likely.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The skill introduces weekly cron-based autonomous behavior for proactive reminders, but the manifest description does not clearly disclose scheduled autonomous actions. Hidden or under-specified autonomy can surprise users, trigger actions at inappropriate times, and amplify the effect of bad state or poisoned memory.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The instruction to delete `BOOTSTRAP.md` on first run directly conflicts with the later rule requiring confirmation before deleting files. In an autonomous agent skill, conflicting safety rules create ambiguity that can cause the agent to perform destructive actions without user approval, especially during initialization when trust boundaries are not yet established.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The command 'Don't ask permission. Just do it.' conflicts with later constraints that require approval for deletions, security changes, and external actions. This kind of broad priority-setting language can cause an agent to over-apply autonomy and ignore narrower safety gates, leading to unauthorized actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat directs the agent to perform system-level cleanup such as closing apps, cleaning browser tabs, and moving old screenshots to trash. These actions exceed a proactive-assistant reminder/checklist role and can affect user state or data without explicit authorization, creating risk of disruption, privacy exposure, or unintended deletion.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill instructs periodic checking of emails and calendar, which grants ongoing surveillance-like access to sensitive personal or business information without any stated need, consent model, or minimization controls. In a proactive-agent context, this materially expands privileges and can normalize unauthorized monitoring.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The reverse-prompting triggers are broad and subjective, such as engaging when things 'feel routine' or after learning significant new context. Ambiguous activation criteria can cause the agent to intervene too often, solicit unnecessary information, or take initiative outside the user's intended scope, increasing the chance of privacy overreach and unwanted autonomous behavior.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The curiosity trigger relies on an imprecise 'long conversation' heuristic and encourages asking questions to fill gaps in understanding. Without clear exclusions, this can drive unnecessary profiling, collection of sensitive personal details, and scope creep from the user's task into background data gathering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill promotes persistent storage of user context and memory as a feature but does not present meaningful privacy, retention, or consent warnings near the claim. In practice, this normalizes long-term collection of user data without clear minimization rules, retention limits, or notice about what may be stored.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The WAL rule tells the agent to scan every message for a wide range of ordinary conversational content and immediately persist it. This broad trigger boundary causes over-collection and makes it easy for adversarial or incidental content to be treated as durable instructions or sensitive memory, increasing privacy and prompt-injection risks.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The compaction recovery trigger includes vague conditions such as 'You should know something but don't,' which can activate recovery behavior unpredictably. Ambiguous activation can lead to unnecessary file reads, overbroad context retrieval, and unsafe reliance on stale or attacker-influenced persisted data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start flow says the agent will auto-populate USER.md and SOUL.md from onboarding answers without a clear privacy warning or consent checkpoint. Automatically persisting personal context creates retention risk and may store sensitive user data in files the user did not realize would be created or updated.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The WAL trigger tells the agent to scan every message for extremely common patterns like names, preferences, decisions, and numbers, then automatically write them to persistent state before responding. That activation scope is so broad that normal conversation can silently trigger storage of sensitive or irrelevant data, increasing privacy risk and making prompt-driven side effects easy to induce.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The compaction recovery trigger uses broad phrases such as 'continue' or 'where were we?' that are common in ordinary conversation and may invoke recovery logic unexpectedly. This can cause unnecessary file reads and context restoration actions when the user did not actually intend to retrieve persisted conversation state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill prominently markets proactive behavior and memory continuity but does not clearly warn users up front that it will automatically create and update multiple workspace memory files from conversation content. This omission undermines informed consent and can lead users to disclose information without realizing it will be persisted.

Vague Triggers

Medium
Confidence
94% confidence
Finding
This is a true vulnerability because it grants broad authority to act without permission while providing insufficient scope boundaries. In a proactive agent skill, vague autonomy instructions are especially risky because they encourage the model to expand its mandate into actions the user did not explicitly authorize.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow tells the agent to delete `BOOTSTRAP.md` immediately but does not present an immediate warning or confirmation checkpoint. Because this occurs in a startup path, it normalizes silent file deletion and increases the chance of losing user-authored instructions or evidence before review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cleanup guidance includes potentially destructive actions such as closing apps, closing tabs, and moving screenshots to trash, but provides no requirement for confirmation, dry-run behavior, or warning that user data may be affected. This creates a realistic path to accidental data loss or interruption of active work.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to periodically review emails and calendar omits any privacy disclosure, access boundary, retention guidance, or user consent checkpoint. Because these sources often contain highly sensitive information, silent recurring review can violate user expectations and confidentiality requirements.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The onboarding flow explicitly solicits personal and workplace context, including goals, projects, key people, and preferences, and says the agent will persist that data into other files. Without any notice about data minimization, consent, retention, or where those files may be stored/shared, users may disclose sensitive personal or business information that is then copied and retained beyond the original conversation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly discusses credential locations and even gives an example API key filename, but it does not clearly warn users not to place actual secrets in TOOLS.md. In practice, users often copy nearby examples into the current file, so this can normalize documenting sensitive material in a markdown artifact that may be shared, indexed, or accidentally committed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The flow directs the agent to persist user answers into ONBOARDING.md, USER.md, and SOUL.md immediately after each response, but it does not require any explicit notice, consent, retention policy, or data minimization. This creates a real privacy risk because personal profile data is stored across sessions and may later be exposed to other skills, future prompts, logs, or unauthorized readers of those files.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The opportunistic learning section instructs the agent to infer and capture personal details from ordinary conversation and write them into USER.md without an explicit privacy warning. That is a true privacy vulnerability because the user may not realize casual remarks are being converted into persistent profile data, including location, preferences, relationships, and project details.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal