ClawHub

PARA + Proactive Agent Workspace

Security checks across malware telemetry and agentic risk

Overview

This is a legitimate workspace and memory template, but it gives the agent broad proactive authority and persistent memory behaviors that users should review before installing.

Install only if you intentionally want a proactive, persistent-memory workspace. Before using it, review AGENTS.md, HEARTBEAT.md, SESSION-STATE.md, MEMORY.md, USER.md, and TOOLS.md; remove email/calendar/social checks you do not want; require confirmation for commits, pushes, deletions, external messages, and account access; and keep memory files private, redacted, and out of version control or cloud sync unless you have made an explicit choice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The heartbeat checklist directs the agent to proactively review emails, calendars, and project status, which goes beyond a file-organization/workspace template and encourages access to external, potentially sensitive systems without an explicit user request. In this skill context, that scope expansion is more dangerous because users would reasonably expect workspace organization help, not autonomous monitoring of communications and schedules.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The template promotes unsolicited proactive behavior such as building things 'RIGHT NOW' to surprise the user, which can cause the agent to take actions outside the user's immediate intent or authorization. In a workspace-template skill, this creates unnecessary risk of overreach because the skill's stated purpose is organization and memory persistence, not autonomous initiative across arbitrary domains.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly promotes persistent memory files such as USER.md, MEMORY.md, SESSION-STATE.md, and daily logs, but it does not warn users that personal profile data, preferences, decisions, and interaction history may be stored on disk. In a workspace/template skill centered on agent memory persistence, omission of a privacy notice materially increases the risk of unintended retention, local exposure, syncing to cloud backups, or accidental check-in to version control.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The activation phrases are broad, generic productivity terms such as "productivity," "organize files," and "knowledge management," which can cause the skill to trigger in many unrelated user requests. This increases the chance of unintended invocation, context hijacking, or the skill influencing conversations where the user did not explicitly ask for this workspace template.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file explicitly instructs the agent to delete `BOOTSTRAP.md` automatically after reading it, without user confirmation or safeguards. Even if intended as cleanup, this normalizes autonomous file deletion and can destroy onboarding state, auditability, or recovery information if the file is still needed or was modified unexpectedly.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The checklist instructs the agent to update MEMORY.md and TOOLS.md as part of self-healing and memory maintenance without requiring visibility, approval, or change controls. Autonomous modification of persistent memory and tool documentation can silently alter future behavior, entrench prompt-injected content, or create confusing state that the user did not authorize.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The template tells the agent to inspect recent logs for issues and fix them, but does not warn that logs and related data may contain secrets, personal information, or sensitive operational context. In combination with the broader heartbeat model, this normalizes background access to sensitive data sources without transparency or consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly instructs the agent to write daily notes to persistent memory and distill them into long-term memory, but provides no privacy warning, retention limits, or guidance on handling sensitive data. In a workspace template centered on agent memory persistence, this omission can lead users to store personal, confidential, or regulated information indefinitely without informed consent or safeguards.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly tells the agent that this is the 'ONLY place specific details are safe' and to write down anything important 'NOW,' which encourages indiscriminate persistence of session data. In a workspace/memory skill, that can lead to retention of personal, sensitive, or confidential user information without minimization, consent, or handling guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The sections for 'Names, dates, specific values learned' and 'Preferences Expressed' directly prompt collection of user-identifying and behavioral data but provide no warning or constraints on what should not be retained. This creates a clear privacy risk because the template normalizes storing personal data in long-lived workspace memory.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file explicitly instructs the agent to treat workspace files as persistent memory and to read and update them each session. In a skill centered on agent memory persistence and proactive behavior, this can normalize autonomous modification of user data without requiring explicit consent, increasing the chance of unintended data changes, privacy issues, or persistence of sensitive information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly says it captures every exchange and survives compaction, which creates an instruction to persist conversational content beyond the immediate context window. In a workspace and AI memory-persistence skill, this raises real privacy and data-retention risk because sensitive user data may be stored and resurfaced later without consent, minimization, or warning.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions encourage writing 'every exchange,' names, preferences, decisions, and specific values into persistent memory files using a WAL-style workflow. That creates a clear data retention and leakage risk because conversational content can include sensitive personal information, credentials, internal project data, or regulated data that may later be exposed through local compromise, backups, file sharing, or repository sync.

Ssd 3

Medium
Confidence
97% confidence
Finding
By framing the file as active working memory and instructing the agent to persist all important details, the template promotes centralized storage of session data, including potentially sensitive information, beyond the immediate interaction. In the context of an AI memory-persistence workspace, this increases the chance of over-collection, cross-session exposure, and unintended reuse of user data.

Ssd 3

Medium
Confidence
95% confidence
Finding
These fields encourage logging detailed user-provided information such as names, dates, values, and preferences into persistent memory, which can create a durable profile of the user. In a 'second brain' and agent-memory template, that context makes the issue more dangerous because the design goal is long-term retention and reuse across sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The language directs the system to retain every user exchange across context compaction and to read it first during recovery, creating a persistent memory mechanism that can propagate sensitive content into future interactions. Given this skill is specifically designed for agent memory persistence and workspace organization, the instruction is more dangerous because it operationalizes long-term retention as normal behavior.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- Nothing new since last check
- You just checked <30 minutes ago

**Proactive work you can do without asking:**

- Read and organize memory files
- Check on projects (git status, etc.)
Confidence
82% confidence
Finding
without asking

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal