ClawHub

Goal Tracker

Security checks across malware telemetry and agentic risk

Overview

This productivity skill keeps local goal-tracking files and offers optional scheduled reminders, with its file changes disclosed and scoped to the goals workflow.

Install this if you want an agent to maintain local goal-tracking Markdown files. Keep highly sensitive personal, financial, or business details out of goals/GOALS.md unless you are comfortable with the agent rereading them later, and only add the heartbeat or cron examples if you want scheduled reminders or reviews.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill explicitly allows automatic invocation via heartbeat or cron, but the trigger conditions are broad and not bounded by clear user-consent, scope, or rate-limit requirements. In an agent environment, this can cause unintended repeated execution, unsolicited reads/writes to goals files, and surprise workflow changes, especially when combined with automatic updates to `goals/GOALS.md` and archive/retro files.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill description and check-in flow describe reading and updating workspace files, but they do not present a prominent upfront warning that the skill will create, modify, archive, and overwrite files in `goals/`. Users may invoke it expecting conversational assistance and not realize it performs persistent filesystem actions, which increases the risk of accidental data modification or loss.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal