ClawHub
Back to skill

Security audit

Content Calendar

Security checks across malware telemetry and agentic risk

Overview

This is a local content-planning skill that stores calendar and draft data as part of its stated purpose, with no hidden code, network access, or credential use found.

Install this if you are comfortable with your content calendar, drafts, ideas, channel notes, and performance observations being saved locally in content-data.json. Avoid storing sensitive unpublished strategy unless you know where the skill data directory is and how to inspect or delete that file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The README advertises very broad example trigger phrases such as requests about content ideas, scheduling, drafting, repurposing, and checking a calendar, but it does not define clear invocation boundaries versus adjacent general writing, marketing, or planning tasks. In an agent ecosystem, this can cause overbroad skill selection, leading the skill to activate in contexts the user did not intend and potentially exposing unrelated conversation context or causing unauthorized actions within the skill's scope.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The invocation description is very broad and can activate on routine discussion of content planning, posts, newsletters, or content ideas, causing the skill to engage in contexts where the user did not explicitly request persistent calendar management. In this skill, that matters because the assistant is instructed to read and write persistent data, so over-triggering can expose prior user data inappropriately or create/modify records without sufficiently clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persistently stores user drafts, notes, ideas, performance observations, and channel details in `content-data.json` but does not explicitly warn users that their content will be retained. Because the stored data can include unpublished material, strategy notes, and potentially sensitive business information, users may disclose data under the assumption it is ephemeral when it is not.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.