ClawHub

todos

Security checks across malware telemetry and agentic risk

Overview

This is a real TODO/reminder skill, but it asks for persistent scheduling, external notifications, and broad natural-language authority without enough user-control safeguards.

Install only if you are comfortable with a TODO skill that keeps local history, may store your exact wording, can create recurring reminder jobs, and may send task details to DingTalk. Before enabling reminders, choose the channel explicitly, inspect any cron or WorkBuddy automations it creates, avoid putting secrets or sensitive personal/financial details in tasks, and back up the database before uninstalling or running cleanup scripts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill declares no permissions while its design explicitly relies on file reads/writes, shell commands, environment-driven backend selection, SQLite access, cron setup, and automation creation. This mismatch is dangerous because it prevents informed consent and policy enforcement: a host may grant the skill more capability than users or reviewers expect, increasing the chance of unauthorized persistence or local command execution paths being abused.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose is a personal TODO manager, but the file describes materially broader behavior including external automation integration, alternate reminder channels, archive lifecycle handling, audit logging, cron/system management, and packaging tasks. Description-behavior mismatch is risky because reviewers and users may approve the skill for a narrow purpose while hidden or under-disclosed features expand data handling and execution scope beyond what was consented to.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This design lets a personal TODO skill modify an external report file by appending todo content, which exceeds the minimal capability needed for task management. That creates a cross-document integrity and privacy risk: user-supplied text can be copied into other artifacts, potentially leaking sensitive notes or corrupting downstream reports if paths or contents are not tightly constrained.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The examples extend the skill from simple personal TODO management into reminder-channel setup, outbound DingTalk notifications, and broader automation behavior. That scope expansion matters because examples often drive agent behavior; an agent may infer it is allowed to configure or trigger external automations without a clearly bounded user consent flow.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
Documenting subprocess-based external command invocation for notification delivery introduces an execution path outside core TODO storage/listing behavior. If later implemented loosely, this can become command-execution or unintended external-action risk, especially when examples normalize calling external tooling as part of routine reminder handling.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The examples state that recurring automations are created in the environment, which is a materially stronger capability than managing a user's TODO list. This can cause the agent to schedule persistent background actions without an explicit, narrowly scoped authorization step, increasing the risk of unintended ongoing behavior.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The security report contains internally inconsistent claims: it says there are no external HTTP calls, yet elsewhere documents DingTalk webhook pushes and cron API registration as network operations. This can mislead reviewers and users about the true network exposure of the skill, causing underestimation of data egress and permission risk.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The planned webhook reminder backend introduces a generic network-capable extension that is not necessary for a local personal TODO skill. Even as a design option, a webhook sink could transmit task contents, timing, and metadata to arbitrary endpoints, creating data exfiltration and SSRF-like risk if later enabled without strict controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The manifest expands a personal TODO skill into ETF/quant-report linkage, which is a scope-creep problem that can cause the agent to route finance-related requests into a skill with filesystem, cron, and outbound messaging capabilities. In a security context, widening scope without clear boundaries increases the chance of unintended actions, sensitive data handling, and user confusion about what the skill is allowed to do.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Including "ETF 持仓管理" in trigger contexts materially broadens when the skill may activate, despite the declared purpose being personal task management. This mismatch makes accidental invocation more likely in finance conversations and could lead to task creation, persistence, reminders, or outbound notifications in contexts the user did not intend.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The examples describe outbound DingTalk pushes and recurring automations without prominently requiring user warning, consent, or disclosure of side effects. In agent systems, this is dangerous because documentation can normalize silent external messaging or background task creation, leading to privacy, notification-spam, or unauthorized-action issues.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instructions encourage configuring and testing DingTalk push notifications without warning that TODO content may be transmitted to an external service. Because TODO items can contain personal reminders, work details, or sensitive notes, users may unknowingly disclose private data to third-party channels or chat recipients.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The uninstall section includes a destructive rm -rf command on the skill directory without an explicit warning that this permanently deletes the local database and configuration. Users following the guide may irreversibly remove reminders, history, and channel settings, especially if they skip or misunderstand the optional backup step.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Overly broad natural-language triggers can cause the agent to invoke the todo skill during ordinary conversation and perform unintended state-changing actions such as add, complete, or delete. In this skill context, persistent cross-session storage and reminder side effects make accidental activation more dangerous than a harmless misclassification.

Vague Triggers

Medium
Confidence
89% confidence
Finding
A vague deletion example like '不重要了,删除那条' lacks clear constraints on which item is targeted, increasing the risk of deleting the wrong persisted todo through recency heuristics or ambiguous matching. Because the skill maintains cross-session personal data, accidental deletion can cause data loss or integrity issues even if soft-delete exists.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The schema stores raw task content, raw user input, and reminder configuration persistently across sessions, but the skill text does not clearly warn users about retention duration, storage location, or sensitivity implications. This is dangerous because users may place passwords, financial notes, health details, or personal schedules into TODOs without realizing the data is retained locally and potentially included in logs, backups, or fallback files.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill advertises DingTalk push reminders but does not clearly warn that task details may be sent to an external notification channel. This matters because TODO items often contain sensitive content, and transmitting them to a third-party service changes the trust boundary, potentially exposing personal schedules or confidential work details.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Several trigger keywords are common conversational phrases such as "提醒我", "记一下", and "完成了", which can appear in ordinary chat without a clear intent to invoke this skill. In an agent environment, broad triggers can cause unintended execution that writes files, registers reminders, or sends notifications based on ambiguous user input.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest requests read/write filesystem access, outbound network messaging, and cron registration, but does not clearly disclose these side effects in a user-facing consent or warning model. For a conversational TODO skill, silent persistence and scheduled outbound actions increase the risk of unauthorized data storage, surprise notifications, and long-lived automation beyond the user's expectations.

Vague Triggers

High
Confidence
96% confidence
Finding
The add-action trigger set is overly broad and includes common verbs and everyday phrases such as “做”, “看”, “买”, “问”, and “需要”, which can appear in normal conversation without any intent to create a TODO. In a cross-session personal task skill, accidental invocation can silently persist unintended tasks or reminders, creating integrity and privacy issues and causing follow-on notification spam.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The done-action phrases include ambiguous conversational expressions like “搞定”, “✓”, and “已办”, which may occur casually or refer to something outside the TODO system. This can cause tasks to be marked complete incorrectly, reducing task-list integrity and potentially hiding important reminders the user still depends on.

Vague Triggers

High
Confidence
95% confidence
Finding
The delete-action triggers are broad and include generic phrases like “删掉”, “不要了”, and “取消那条” without requiring strong binding to a specific task. In a persistent personal TODO system, accidental or adversarially induced deletions can irreversibly remove reminders or scheduled notifications, leading to loss of important user data and missed obligations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script overwrites the user's crontab non-interactively by piping modified entries directly into `crontab -` without any confirmation, dry-run, or explicit consent step. In a personal TODO skill, persistence is expected, but silently installing scheduled jobs changes host state and can surprise users, create unwanted background execution, or clobber existing cron content if the filtering logic behaves unexpectedly.

Ssd 3

Medium
Confidence
96% confidence
Finding
The design explicitly stores full raw user inputs and exposes retrieval by raw_input, creating unnecessary retention of natural-language content that may include secrets, personal data, trading intent, or other sensitive context. Because this is a cross-session personal skill, the persistence and reuse of verbatim inputs increases the blast radius of accidental disclosure, debugging leaks, backups, or secondary reuse beyond the original reminder purpose.

Ssd 3

Medium
Confidence
94% confidence
Finding
Appending pending todo content into ETF reports propagates user-provided text into another document and context, which can leak sensitive information or embed untrusted text into outputs consumed elsewhere. In this skill, todos are natural-language and may contain personal reminders, market strategies, or identifiers, so copying them into reports increases exposure and weakens separation between private task data and publishable/reporting artifacts.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal