ClawHub

Personal Growth Coach

Security checks across malware telemetry and agentic risk

Overview

This coaching skill appears aligned with personal learning, but it can read and write persistent self-improvement records from broad triggers without a clear consent or deletion flow.

Review before installing. Use it only if you are comfortable with the agent keeping local personal-growth session records, and prefer explicit commands plus a clear way to inspect, limit, or delete stored history.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases and description are broad enough to match ordinary requests like 'quiz me' or 'personal growth' that may appear in unrelated contexts. This can cause unintended activation, leading the skill to read or write memory records when the user did not explicitly ask for this specific coaching workflow.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation conditions rely on vague intents like wanting to improve thinking or communication, which are common across many benign conversations. Because the boundaries are unclear, the skill could over-trigger in unrelated chats and begin a workflow involving persistent memory access without a sufficiently explicit request.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill explicitly reads prior learning records and updates persistent session logs, but the top-level description and user-facing behavior do not clearly disclose this data persistence. Users may unknowingly provide answers that are stored over time, creating privacy and consent risks and increasing the sensitivity of otherwise routine self-improvement interactions.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal