ClawHub
Back to skill

Security audit

DoctorClaw Project Status

Security checks across malware telemetry and agentic risk

Overview

This project-status skill is coherent, but it may automatically share and archive sensitive project, calendar, and team workload information without enough privacy and retention controls.

Install only if you are comfortable granting access to project tasks, calendar-derived milestones, and team workload details. Before using scheduled delivery, explicitly choose approved private channels, limit which projects and people are included, redact sensitive client or personnel details, and set a retention or cleanup policy for saved reports.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly recommends delivering consolidated project status updates through external channels such as Telegram or Discord, and the example output includes sensitive operational details like blockers, deadlines, staffing load, and unassigned work. Without guidance on access control, redaction, or approved destinations, the skill creates a realistic risk of disclosing internal business and personnel information to unintended recipients.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to archive daily status boards to disk under a predictable path, while those reports may include sensitive project health, delays, client dependencies, and team workload information. Persisting this data without retention limits, access restrictions, or sanitization increases the chance of unauthorized access, overexposure of employee/project data, and long-term accumulation of sensitive internal records.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal