ClawHub

Agent Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This is a coherent Convex development skill that creates component code in a project; the supplied privacy findings do not match the inspected artifacts.

Install this if you want an agent to modify a Convex codebase to create reusable components. Review the proposed tables, wrappers, scheduled callbacks, and any stored configuration before accepting changes, especially if a component will store user data or webhook URLs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This section introduces persistent engagement analytics in `memory/briefing-log.json` and uses that history to tune behavior over time, creating a user profiling mechanism beyond a simple daily briefing. Persistent behavioral logging can expose routines, productivity patterns, and channel usage if accessed by other skills, leaked, or retained without user awareness.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documented morning/evening/next-morning loop turns the skill into an ongoing cross-day memory workflow that both reads and writes daily files, materially expanding its data access and persistence beyond a morning briefing. That increases the attack surface for over-collection, accidental retention of sensitive task data, and unintended coupling with another skill that may have broader permissions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill is explicitly designed to proactively collect and send potentially sensitive personal information such as calendar events, tasks, pending items, location-derived weather, and optional inbox/news summaries to an external messaging channel. While the behavior is the core feature, the documentation does not prominently warn users about the privacy implications, recipient/channel exposure, or the risk of misdelivery to shared or insecure channels, making unintended data disclosure more likely.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation describes logging and memory-file writes across days and potentially across channels without any visible warning, consent flow, or retention policy. In the context of a daily briefing skill, undisclosed persistence is more dangerous because users may reasonably expect ephemeral summaries, not durable records of tasks, calendar-derived activity, and engagement signals.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal