ClawHub

Decision Log

Security checks across malware telemetry and agentic risk

Overview

This is a local decision-journal skill with optional automation prompts, and the reviewed artifacts do not show hidden code, network transfer, credential use, or destructive behavior.

Install only if you want a persistent local record of business decisions. Configure the optional automatic triggers narrowly, review entries before saving or sharing them, and do not record credentials, private client details, or sensitive financial information unless you intentionally want them in the decisions folder.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The spend-triggered rule activates on any mention of spending money, which is broad enough to fire during ordinary discussion rather than explicit decision-log use. In an agent environment, this can cause unwanted prompting, accidental logging, and collection of potentially sensitive financial context without a clear user intent boundary.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The project kickoff trigger relies on vague cues like creating a project file or saying "starting [X]," which are common actions in normal workflows. That ambiguity can lead to unintended skill invocation and persistent records being created or suggested when the user did not intend to use the decision journal.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Automatically logging tool or subscription adoption on any detected addition of a tool or service is an overly broad automation that may infer actions from casual mentions, research, or tentative plans. Because it creates structured records automatically, it increases the risk of inaccurate entries and unintended capture of operational or vendor-related information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal