ClawHub

Claws Daily

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed twice-daily news brief generator, with expected local preference storage and scheduling for that purpose.

Install this if you want scheduled personalized news briefs. During setup, keep the saved profile high-level, avoid sensitive personal or political details, review metadata.json after initialization, and disable the Heartbeat if you no longer want twice-daily runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install instructions explicitly require persisting user-derived profile, interest labels, and language settings into metadata.json, but provide no disclosure, consent step, retention guidance, or protection recommendations for that personal preference data. While the data is not highly sensitive by default, it can still reveal habits, interests, and possibly political or professional preferences, creating unnecessary privacy risk if the local skill directory is exposed, synced, or shared.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The initialization flow asks the user for personal interests, content preferences, style preferences, and language, then directs the agent to generate and save a reusable PROFILE without warning the user that these responses will be retained. This creates a privacy transparency issue and may cause users to disclose more than intended, especially because the profile can encode nuanced behavioral or topical interests beyond simple configuration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal