ClawHub

Daily Report Recorder

Security checks across malware telemetry and agentic risk

Overview

This skill is a clearly scoped daily work-report helper that saves user-provided work notes to a local Markdown file, with privacy and auto-save behavior users should understand.

Install this only if you want work updates saved as local daily reports under /data/reports/daily. Avoid putting secrets, credentials, or sensitive internal details in report prompts unless that location is approved. Enable the optional cron schedule only if you want recurring report prompts, and review generated reports before using them for official submission.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases are very broad and map to ordinary workplace conversation such as meetings, debugging, testing, and plans. In an agent environment, this can cause unintended activation and silent collection or persistence of user content into a daily report, creating privacy, integrity, and surprise-action risks even without explicit malicious behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes automatic recording and archiving but does not clearly warn that the skill writes and updates Markdown files on disk at a persistent path. This can mislead users about side effects, increasing the risk of unauthorized or unexpected data retention, overwrites, and exposure of potentially sensitive work information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill is explicitly instructed to create or overwrite a persistent file under /data/reports/daily and to do so automatically when certain trigger phrases appear, but it does not require clear user consent at write time or provide a warning that persistent data will be modified. This creates a real risk of unintended file creation or alteration, especially because repeated invocations merge and rewrite existing content, which can silently change stored records.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough that the skill could be invoked for general note-taking, writing, polishing, and file-updating tasks beyond a narrowly scoped daily report workflow. Overly broad invocation criteria can cause the agent to select this skill in unintended contexts, increasing the chance of inappropriate file modification or disclosure of user work content.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The description specifies Chinese-language behavior by default without indicating that this depends on user preference. This can lead to undesired language switching, confusing outputs, or mishandling of user content when the user's preferred language is different.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal