ClawHub

Todozi - Your Ai Task Manager

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed Todozi task-manager API skill with real account-access risks, but the risky behavior is mostly expected for its purpose and not hidden exfiltration.

Install only if you want an agent to access and modify your Todozi account. Use a Todozi API key you are comfortable granting to this skill, do not override TODOZI_BASE unless you trust the endpoint, require clear approval for deletes, bulk changes, and completions, and configure webhooks only to HTTPS URLs you control or trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill exposes read and write operations for user preferences and learned_context even though the declared skill surface does not mention preference management. This creates a hidden data-management capability that could let an agent access or persist user profiling data without the user's informed consent, increasing privacy and trust risks.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code supports account registration and returns public/private key material, but this capability is not disclosed in the skill metadata. Hidden credential-issuance functionality is dangerous because an agent could create accounts or obtain secrets on behalf of a user without clear consent, potentially expanding persistence and unauthorized access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation presents destructive remote actions such as bulk completion and deletion as routine examples without any caution, confirmation, or rollback guidance. In an agent setting, this can normalize high-impact state-changing operations and increase the risk of accidental mass modification of a user's Todozi data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Webhook creation and update are documented without warning that task or event metadata may be sent to arbitrary external URLs. This can expose user activity or content to third parties and enable data exfiltration if an agent or user configures an untrusted endpoint.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The webhook documentation encourages sending task, goal, note, and matrix metadata to arbitrary external URLs without any privacy, data-handling, or destination-trust warning. In an agent context, this increases the risk of unintended data exfiltration because users may register attacker-controlled webhook endpoints and cause ongoing transmission of workspace data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The task-creation tool performs a remote state-changing API call and may also auto-create a default matrix, but the interface presents it as a simple tool action without an explicit warning or confirmation step. In an agent setting, this can cause unintended writes to a user's external account from ambiguous prompts or prompt injection-driven tool use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The completion tool mutates remote task state immediately with no user-facing confirmation or friction. In an agent workflow, a mistaken or manipulated invocation could silently mark tasks complete, causing loss of task integrity and potentially disrupting productivity workflows.

VirusTotal

69/69 vendors flagged this skill as clean.

View on VirusTotal