ClawHub

cc-sticky-notify

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local Mac sticky-notification skill, but it asks for persistent hooks and cross-application window access that users should review before installing.

Install only if you are comfortable with a local Mac notifier adding persistent Claude Code hooks and reading/storing app and window context to support source display and click-to-focus behavior. Review the hook commands and macOS permissions first; no artifact-backed network exfiltration, credential theft, destructive action, or remote code download was found.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented purpose is a local notification tool, but the analyzed behavior indicates substantially broader capabilities: inspecting other applications' front windows, collecting window metadata, persisting focus/session data in /tmp, and requesting Apple Events automation entitlements. That mismatch is dangerous because users may consent to a benign notifier while unknowingly granting cross-application observation and automation capability that could expose sensitive titles, workflow context, or enable unintended app interaction.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer creates an entitlements file and signs the app with `com.apple.security.automation.apple-events=true`, which grants the app the ability to automate/control other applications via Apple Events. That capability is not justified by the stated purpose of displaying notifications and materially expands the app's access beyond its notification-focused scope.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
For a sticky-note notification utility, enabling Apple Events automation is context-inappropriate and increases attack surface by allowing scripted interaction with other macOS apps if the binary is abused or later modified. In this skill's context, that permission is more suspicious because notification display does not require Apple Events at all.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script goes beyond showing notifications by walking ancestor PIDs and querying System Events and CoreGraphics for the active application, front window title, position, and window ID. In a notification skill, this is unnecessary for core functionality and creates avoidable collection of sensitive UI context that may expose what the user is working on, especially since window titles often contain document names or private data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Capturing front-window metadata is not clearly justified by the stated purpose of pinned task notifications. The code stores front window name, coordinates, and CGWindowID on disk, which increases privacy risk and could be repurposed for user activity tracking without delivering essential notification value.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code uses macOS Accessibility APIs to enumerate another app's windows by title and raise a specific one, which is a privileged cross-application interaction beyond simple notification display. In this skill's context, that behavior is likely intended as a convenience feature, but it increases capability and trust requirements because it can inspect UI state and manipulate focus in other applications if granted Accessibility permissions.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The script writes notification content and session state into predictable files under /tmp, including message text and session-derived identifiers. On multi-user or shared environments, temporary-file storage can expose task content or allow tampering if file permissions and secure creation are not enforced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script silently collects foreground application and window information using macOS automation APIs without any user-facing disclosure. Even if intended for better notification placement, undisclosed collection of UI context is privacy-invasive and more dangerous in this skill context because users expect simple alerts, not app/window inspection.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal