ClawHub

Plan Do Check Act

Security checks across malware telemetry and agentic risk

Overview

This is a local planning helper whose file access, progress checks, and cleanup behavior are disclosed and fit its stated PDCA workflow purpose.

Install this only if you want a local file-backed planning workflow. Use a dedicated workspace, avoid putting real session IDs or sensitive project details in plan files if they may be shared, review output before acting on recovered progress, and run cleanup with --dry-run before deleting archived plans.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if os.path.exists(dep_script):
        import subprocess
        try:
            proc = subprocess.run(
                ['python3', dep_script, plan_path],
                capture_output=True,
                text=True,
Confidence
84% confidence
Finding
proc = subprocess.run( ['python3', dep_script, plan_path], capture_output=True, text=True, timeout=5 )

Vague Triggers

Medium
Confidence
91% confidence
Finding
The automatic trigger conditions include broad, everyday status queries like asking what's pending or how progress is going. In practice, this can cause the skill to activate in contexts where the user did not intend persistent plan inspection or file-backed workflow automation, leading to unnecessary file access, state mutation, or disclosure of prior task data.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The keyword triggers are highly generic terms like 'plan', 'todo', 'track', and 'checklist', which are common in ordinary conversation. Such vague activation rules increase the chance of unintended invocation, causing the skill to create or inspect plan files and potentially expose or alter workspace state without clear user consent.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal