ClawHub

Daily Briefing

Security checks across malware telemetry and agentic risk

Overview

This is a transparent daily-briefing instruction skill, but it can summarize private planning data and send it to configured chat channels if the user enables those sources.

Install only if you are comfortable with an agent summarizing selected calendar, task, email, travel, or work-priority data. Start with on-demand briefings, send full summaries only to private channels or direct messages, avoid broad email access, and review any cron, heartbeat, or memory-log settings so the briefing does not keep running or retaining details longer than intended.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to compile and deliver calendar events, tasks, location-based weather, pending items, and optionally news or other summaries to external messaging channels, but it does not clearly warn that this may involve accessing and transmitting sensitive personal or work information. In a proactive scheduled skill, this omission is risky because users may enable it without understanding that private schedule details, task contents, and contextual data could be sent automatically to third-party platforms such as Telegram or Discord.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The customization example encourages 'Summarize unread emails from last 12 hours' without any warning that mailbox contents often contain sensitive personal, financial, legal, authentication, or corporate information. Because this skill is designed for automated periodic delivery, the agent could ingest and redistribute email-derived content into external chat channels or logs without adequate user awareness or consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This section explicitly instructs the agent to persist briefing engagement data and daily memory files containing personal activity details such as calendar volume, tasks, and overdue status, but it does not mention user consent, retention limits, access controls, or any warning about ongoing storage. In a daily briefing skill, this creates a meaningful privacy risk because the feature profiles a user's routines over time and links multiple days of behavioral data into a continuous history.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal