ClawHub

Home Maintenance Os

Security checks across malware telemetry and agentic risk

Overview

This is a local home-maintenance record keeper that persistently stores household details, with privacy caveats but no evidence of hidden execution, network sharing, credential use, or destructive behavior.

Install this only if you want an agent to maintain a persistent local record of home systems, contractors, service costs, warranties, and possibly addresses. Review confirmations after casual mentions, avoid saving sensitive details you do not need, and periodically inspect or delete home-data.json if you no longer want the information retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill is configured to trigger on very broad, casual home-related phrases, which increases the chance of unintended activation and collection or persistence of household data when the user did not explicitly intend to use this skill. In this context, the skill stores sensitive information such as home addresses, appliance details, warranties, contractors, and service history, so accidental invocation can lead to unnecessary retention of private household data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill mandates persistent storage of detailed household and contractor data in home-data.json without any privacy warning, minimization guidance, retention controls, or consent checkpoint. Because the recorded data can include addresses, service dates, spending, contact details, and household equipment information, this creates avoidable privacy and security risk if the data store is accessed by unauthorized parties or populated without informed user consent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The eval explicitly expects the skill to write appliance and warranty-related information to home-data.json without any indication that the user is informed or consents to persistent storage. In a home-maintenance context, this data can reveal occupancy details, appliance inventory, service timelines, and contractor/warranty metadata, so silent persistence creates a meaningful privacy and security risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The eval explicitly requires persisting household equipment details and a contractor phone number to a JSON file across sessions, but it provides no safeguards around user consent, data minimization, retention, or protection of stored personal information. In a home-maintenance skill, this creates a real privacy risk because cross-session storage can accumulate sensitive household metadata and contact details that may later be exposed, over-retained, or reused in unintended ways.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal