ClawHub

Natural Language Planner

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real planner skill, but it needs Review because it can expose an unauthenticated task dashboard and attachments beyond the local machine despite local-only privacy framing.

Install only if you are comfortable with a planner that stores conversation-derived tasks in local Markdown files and may run a local web dashboard. Keep it on localhost for sensitive work. Avoid LAN mode, public tunnels, static hosting, and systemd persistence unless you understand that the dashboard has no authentication and anyone with network access or the public URL may view tasks and attachments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (19)

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The README materially expands a local task-planning skill into remote exposure and static publishing of task data, including tunnel-based access and export for third-party hosting. Even if documented as optional features, this increases the attack surface and can lead users to expose sensitive task contents, deadlines, notes, and attachments beyond the local machine.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation says the design is 'local-first' and that data 'never leaves your machine' while also describing tunnel sharing and static export/hosting. This contradiction can mislead users into underestimating the privacy risk and expose confidential planning data because they may trust the local-only claim when enabling remote features.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill includes instructions to expose task data over the LAN, via public tunnels, and through static hosting, while also noting there is no authentication. In context, the data being handled includes tasks, notes, context, and attachments, so accidental exposure can leak sensitive personal or business information to anyone on the network or anyone possessing the public URL.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The systemd administration guidance instructs the agent to help set up a persistent boot-time service for the dashboard, extending the runtime and exposure of the application beyond an interactive planner session. This increases risk because a continuously running service can keep sensitive task data available on a port, may survive user expectations, and introduces operational and privilege-management hazards unrelated to core planning behavior.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The CLI explicitly documents a `tunnel` command for remote dashboard access, which expands the skill from a local task manager into an internet-exposed service. In this context, that matters because the same file later warns that the dashboard has no authentication, so exposing it publicly can leak task, project, and potentially sensitive planning data.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code starts a public tunnel to the dashboard and prints a public URL while acknowledging that 'the dashboard has no authentication.' That creates a real unauthorized-access risk: anyone obtaining the URL can browse the planner dashboard and access potentially sensitive task, project, or deadline information from outside the local machine.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The server can be configured to bind to 0.0.0.0 via `allow_network` / `dashboard_allow_network`, which exposes task data and attachment-serving endpoints to other hosts on the local network without any authentication or access control. In the context of a planner skill handling potentially sensitive project notes, deadlines, and files, LAN exposure materially expands the trust boundary beyond a purely local dashboard.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The `/api/attachment/<project>/<file>` route serves workspace files over HTTP, including project attachments and media, and these can become remotely accessible whenever the dashboard is exposed beyond localhost. Although there is path traversal mitigation, the capability still enables broad file disclosure of user-managed content that is not necessary for basic task/project metadata display and may include sensitive documents.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file adds functionality to expose a local dashboard to the public internet through third-party tunnel services, which materially expands the skill's attack surface beyond a local project-management dashboard. If enabled without strong safeguards, any weaknesses in the dashboard or its data handling become remotely reachable, increasing risk of unauthorized access and data disclosure.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code can automatically launch external binaries that publish a localhost service externally, a capability that is not clearly justified by the stated natural-language planning use case. This broadens system and data exposure and could allow sensitive task/project content on the dashboard to be accessed from the internet if the dashboard itself lacks strong authentication and transport protections.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README describes automatic activation and task capture from natural conversation without clearly warning that user utterances may be persisted to local Markdown/YAML files. In a conversational assistant context, users may reveal sensitive personal or business information unintentionally, so silent persistence creates a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README says the assistant auto-starts the dashboard but does not clearly state that this launches a local web server serving task data. Users may not realize that sensitive task/project information becomes accessible via HTTP on the host, which is especially risky on shared machines or if later combined with network binding or tunneling.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough that ordinary conversation about tasks or projects can trigger the skill and begin persistent capture behavior. In context, this is risky because the skill stores structured task data and conversation context locally, so over-triggering can lead to silent collection and retention of information the user did not intend to save.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Instructing the agent to monitor every conversation turn for task signals creates continuous broad-scope capture pressure rather than event-driven, user-directed behavior. This is dangerous because it increases the chance of unintended storage, misclassification, and silent accumulation of sensitive conversational details into the planner workspace.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to save a brief summary of the conversation as task context without a clear notice that this content will be persistently stored. That is risky because users may reveal sensitive business, personal, or operational details during conversation and not expect those details to be retained in local files and later surfaced in the dashboard.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The examples normalize state-changing behavior from ordinary conversation by having the skill create tasks, update statuses, and record notes without an explicit confirmation or warning that persistent task data will be modified. In a planner skill, this can lead to unintended data creation or corruption from ambiguous, hypothetical, or incidental user statements, especially when the agent acts proactively or infers project/task matches automatically.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The export command creates a static dashboard snapshot and encourages opening or deploying it, but it does not warn that the exported files may contain sensitive project and task data. Static exports are easy to copy, publish, or host accidentally, so users may expose internal planning information without realizing the privacy implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The export function generates a single self-contained HTML file embedding all task, project, and stats data directly into client-side JavaScript. In a planner skill, that data may include sensitive personal or business information, and the code provides no explicit warning, confirmation, redaction option, or access control, making accidental disclosure via sharing or static hosting more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tunnel can be started without any explicit warning or confirmation at the point of operation, which makes accidental internet exposure plausible. In the context of a task-planning skill, the dashboard may contain sensitive personal or business information, so silently or implicitly publishing it externally creates a meaningful confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal