ClawHub

Long-term Task Progress Manager

Security checks across malware telemetry and agentic risk

Overview

This is a real project-tracking skill, but it asks the agent to silently watch files and logs and save progress data without enough user control.

Install only if you want persistent project-tracking files and are comfortable reviewing what the agent saves. Before enabling auto-sync or file watching, require an explicit project directory, disable broad natural-language triggers where possible, keep logs and secrets out of scope, and regularly inspect PROGRESS.md, MEMORY.md, and backup files. I found no artifact-backed evidence of exfiltration, destructive code, or hidden executable payloads, so this is Review rather than malicious.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The documented natural-language triggers are very broad, common words like 'start', 'progress', 'end', and their Chinese equivalents that are likely to appear in ordinary user conversation. In an agent skill, this can cause unintended state changes, progress writes, or checkpoint actions without explicit user intent, which creates integrity and workflow-manipulation risk rather than direct code-execution risk.

Vague Triggers

High
Confidence
95% confidence
Finding
The natural-language trigger list includes very common words like "progress," "done," "bye," and their Chinese equivalents, which can activate the skill during ordinary conversation rather than explicit user intent. In this skill, accidental activation is especially risky because activation can lead to persistent writes, background monitoring behavior, and recording of workspace state.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The top-level trigger condition activates whenever a user starts a project that may span multiple sessions or asks for progress management, which is broad and subjective. Because the skill performs file creation, updates MEMORY.md, and may initiate passive tracking, ambiguous activation can cause unintended state changes and data retention.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section describes passive background monitoring of HEARTBEAT.md and automatic recording of workspace state and recent error logs, while explicitly noting it may occur without user awareness. That creates a privacy and transparency failure because potentially sensitive project details can be persistently captured without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The backup mechanism automatically writes backup files before overwriting PROGRESS.md, but the skill does not require explicit warning or consent for these persistent writes and retained copies. This can unexpectedly duplicate sensitive content and increase exposure through stale backups that users may not know exist.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The skill enables mixed-language prompts and trigger handling across English and Chinese without requiring the user to select a language or opt in. This expands the activation surface and can cause unintended prompting or data capture in multilingual conversations, though the issue is primarily one of consent and predictability rather than direct exploitation.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill is designed to preserve project context across long gaps and transform short-term conversation memory into structured long-term documents, but it does not impose content minimization or sensitivity boundaries. That can lead to persistent storage of secrets, personal data, or internal project details beyond what is necessary for task continuity.

Ssd 3

High
Confidence
99% confidence
Finding
The passive auto-sync explicitly instructs the agent to read current workspace state, including last modified files and recent error logs, and record snapshots in PROGRESS.md without user awareness. This is covert collection and persistence of potentially sensitive operational data, making the context of this skill materially more dangerous than a normal note-taking aid.

Ssd 3

Medium
Confidence
90% confidence
Finding
The auto-save rules direct generation of incremental session summaries and syncing progress percentages into MEMORY.md on timed intervals, encouraging broad retention of activity details in persistent files. Without scope limits, this can accumulate unnecessary cross-session data and create a durable record of user behavior and project internals.

Ssd 3

Medium
Confidence
90% confidence
Finding
The multi-agent handoff protocol requires including PROGRESS.md summaries in context when switching agents, which broadens distribution of accumulated project data without defining least-privilege boundaries. In a multi-agent environment, this can unnecessarily expose sensitive summaries to components or roles that do not need full context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal