ClawHub

Proactive Agent Lite

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill that broadly encourages proactive agent behavior, with no executable code, install actions, credential access, or evidence of data theft or destructive behavior.

Install this only where you want the agent to make more unsolicited suggestions and preserve continuity. Keep normal approval gates for external, sensitive, or state-changing work, and avoid using it in workflows where broad memory-style behavior would be inappropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README states that the skill will 'automatically begin exhibiting proactive behavior' with 'no additional configuration required,' which is a broad activation description for behavior that may influence actions, memory, and suggestions across workflows. In an agent skill focused on proactivity, this can cause unintended invocation or over-application of the skill’s behaviors in contexts where the user did not explicitly opt in, increasing the chance of unauthorized actions or data handling side effects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README promotes autonomous and persistent behaviors such as learning from every interaction, long-term memory, and self-healing, but does not clearly warn users about how these behaviors may affect data retention, external actions, or decision-making autonomy. This omission is risky because users may enable the skill without understanding that it could preserve sensitive context, act proactively, or influence downstream workflows beyond simple response generation.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill claims it "enhances any OpenClaw agent" and that users can "simply install and the agent will automatically begin exhibiting proactive characteristics," but it does not define boundaries, activation conditions, or safeguards. Broad, implicit activation increases the chance that the behavior affects unrelated agents or sensitive workflows without clear operator consent, which can lead to unsafe autonomy or prompt-scope creep.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal