DoctorClaw Weekly Report

Security checks across malware telemetry and agentic risk

Overview

This weekly-report skill is instruction-only and its access to tasks, email, calendar, delivery channels, scheduling, and archiving is disclosed and aligned with generating reports.

Before installing, decide exactly which task source, inbox, calendars, archive folder, delivery channel, and recipients the agent may use. Review at least one report before enabling Friday cron delivery, and avoid shared Telegram or Discord delivery unless client, email, meeting, and business details are appropriate for that audience.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill instructs the agent to aggregate sensitive data from tasks, emails, and calendar entries, then deliver or archive the resulting report, but it provides no privacy guardrails, consent boundaries, recipient validation, retention limits, or guidance on minimizing sensitive content. This creates a real risk of over-collection and unintended disclosure of personal, client, or business-confidential information, especially when reports are sent to chat channels or stored in memory by default.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal