ClawHub

Proactive Agent Jarvis

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an assistant broad persistent memory and proactive control without enough user consent or limits.

Install only if you explicitly want a highly proactive assistant that keeps durable local notes about you and your work. Before using it, rewrite or disable automatic message logging, require consent before saving personal details, remove unattended app/tab/file cleanup, disable email/calendar checks unless intentionally authorized, and review any BOOTSTRAP.md or cron/sub-agent behavior before allowing it to run.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (32)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly tells the agent to use broad capabilities such as CLI, browser, web search, and spawning agents while pursuing a vague goal of trying many approaches. That materially expands the action surface beyond memory/context management and can lead to unreviewed external interactions or delegated execution chains without clear task-scoped limits.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create weekly cron-job reminders, introducing autonomous scheduled behavior not clearly bounded by user consent or the declared purpose. Scheduled execution can cause the agent to act outside the immediate user interaction loop and persist behavior the user may not expect.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This heartbeat file authorizes system-level actions such as closing apps, cleaning browser tabs, and moving screenshots to trash, which exceed a typical proactive-assistant checklist and can affect the host environment. In the context of an autonomously polling heartbeat, these instructions create a real risk of unintended or unauthorized state changes, data loss, or disruption without explicit user approval.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The reverse-prompting triggers are intentionally broad and subjective, such as acting when things feel routine or after learning new context. In an agent with autonomy and persistence features, this can cause unsolicited interventions, excess data collection, or user-manipulation patterns outside clearly bounded user intent.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The curiosity trigger activates on 'long conversation' without defining thresholds or consent boundaries. That makes personal probing likely to occur too broadly, increasing the chance of intrusive questioning and collection of unnecessary profile data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill advertises persistent memory and onboarding-based learning but does not provide a clear user-facing notice about what is stored, for how long, and with what sensitivity rules. This creates privacy and compliance risk because users may disclose information without understanding retention behavior.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The WAL trigger criteria are extremely broad, covering common conversational elements like preferences, proper nouns, decisions, edits, and numbers. That means the skill will activate on many routine turns, causing pervasive state updates and increasing the chance of over-collection, erroneous persistence, and unsafe behavior chaining.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The compaction recovery auto-triggers rely on ambiguous conditions such as 'you should know something but don't' or generic phrases like 'continue' and 'where were we?'. This can cause unintended recovery routines, unnecessary file reads, and overbroad data resurfacing in ordinary conversations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The onboarding flow and memory architecture direct the agent to auto-populate persistent profile files such as USER.md and SOUL.md from user answers, without an explicit privacy notice or consent mechanism. This creates a meaningful privacy and retention risk because personal context is accumulated by default and may later be reused or exposed.

Missing User Warnings

High
Confidence
98% confidence
Finding
The working-buffer protocol requires storing every message after a context threshold, including full human messages and agent summaries, with 'no exceptions'. Mandating verbatim persistent logging without clear disclosure or consent significantly increases the risk of capturing secrets, personal data, and sensitive business information.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The WAL trigger instructs the agent to scan every user message for a broad set of common patterns and to write matched content before responding. This creates an overbroad, always-on persistence mechanism that can capture sensitive data from normal conversation without clear minimization or user consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The compaction-recovery auto-trigger activates on vague phrases like 'continue' or 'where were we,' which are common in ordinary dialogue. This can cause unnecessary reading of prior logs and memory files, increasing the chance of surfacing stale or sensitive context when not actually needed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill markets memory features but does not clearly warn users that it may automatically create and update multiple workspace files based on their messages. That lack of transparency undermines informed consent and can lead users to disclose information they would not expect to be persistently stored.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The directive to read multiple memory and identity files 'before doing anything' and to 'don't ask permission. Just do it.' creates broad autonomous behavior without clear scoping or user confirmation. In a proactive agent skill, this increases the chance of unnecessary access to sensitive local context and makes it easier for later poisoned files to influence behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction 'If BOOTSTRAP.md exists, follow it, then delete it' authorizes execution of a local file and deletion of evidence without any warning, review step, or confirmation. This is dangerous because BOOTSTRAP.md could be attacker-controlled or accidentally unsafe, and automatic deletion reduces auditability and user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The checklist directs the agent to research issues, attempt fixes, edit files, close apps and tabs, and delete screenshots, but it provides no user-facing notice, approval boundary, or rollback guidance. Because the file is meant for periodic heartbeats, these actions could be performed routinely and autonomously, making accidental changes and destructive behavior materially more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Periodic checks of emails, calendar, and projects instruct the agent to access potentially sensitive personal or organizational data without surfacing privacy implications or consent requirements. In a proactive autonomous workflow, this broad and recurring access increases the chance of overcollection, privacy violations, and exposure of confidential information.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
This template explicitly encourages storing highly sensitive personal, relational, and timeline data such as birthdays, anniversaries, preferences, project context, and relationship details, but provides no guidance on minimization, consent, retention, access controls, or secure storage. In an agent memory system, that kind of structured long-term memory increases the likelihood of over-collection, privacy violations, and unauthorized disclosure if the memory store is synced, logged, or exposed to other tools.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly states that the agent will persist personal onboarding responses into other files (USER.md and SOUL.md) without any visible privacy notice, consent checkpoint, retention guidance, or warning that the information will be stored and reused. Because the questions solicit personal and potentially sensitive context about identity, work, goals, and relationships, silent persistence increases the risk of overcollection, unexpected retention, and downstream exposure to other tools, prompts, or users with repository access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The document explicitly encourages documenting where credentials are stored and gives a concrete example secret file path, but provides no safeguards about least privilege, secret managers, access controls, or avoiding accidental disclosure. In an agent-oriented skill, operational notes are often copied, surfaced in context, or inspected by automation, which increases the chance that secret locations or related handling practices are exposed and later abused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This template explicitly solicits personal context such as name, preferred name, timezone, relationships, work habits, and other user-specific notes without any privacy notice, data-minimization guidance, or handling restrictions. In an agent skill designed to make the assistant more proactive and continuously adaptive, this increases the chance that unnecessary sensitive profile data will be collected, retained, and reused in ways the user does not fully expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow explicitly instructs the agent to persist user answers into ONBOARDING.md, USER.md, and SOUL.md, but does not require notice, consent, minimization, or retention controls. This creates a privacy risk because personal preferences, goals, and potentially sensitive profile data may be stored by default without the user understanding that durable memory files are being updated.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The opportunistic learning section instructs the agent to infer and record personal details from ordinary conversation into USER.md without warning the user that profiling and persistence are happening. This is more dangerous in context because the skill promotes continuous, proactive learning over time, which can lead to covert accumulation of personal data beyond what the user intentionally disclosed for storage.

Ssd 3

Medium
Confidence
96% confidence
Finding
The architecture explicitly stores user context, goals, principles, tool notes, and daily memory captures across multiple persistent files. Broad retention of normal conversation data without minimization or sensitivity filtering raises substantial privacy and secret-handling risk, especially if the workspace is shared, synced, or later accessed by other agents.

Ssd 3

Medium
Confidence
97% confidence
Finding
The memory flush guidance tells the agent to write enough detail that future sessions can continue from notes alone, including decisions, reasoning, action items, and open threads. That encourages full conversational capture and long-term preservation of potentially sensitive content beyond what is necessary for task execution.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal