ClawHub

Countdown Timer - 倒计时助手

Security checks across malware telemetry and agentic risk

Overview

This is a simple local countdown helper that saves user-entered countdown labels and dates, with privacy and documentation clarity gaps but no evidence of hidden or harmful behavior.

Install only if you are comfortable with countdown names, birthdays, anniversaries, or reminder labels being saved locally in a JSON file. Avoid sensitive labels, and check the actual countdowns.json location because the documentation and implementation do not name the same storage path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly requires file read/write permissions and shows persistent storage of personal event data such as birthdays and reminders, but it does not clearly inform users that this information will be stored locally. This creates a privacy risk because users may disclose sensitive personal dates or routines without meaningful notice, and stored data could later be accessed by other local processes or users depending on system protections.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill persists user-provided countdown titles and dates to a local JSON file without any notice, consent flow, or retention explanation. While this is not an active exploit primitive, it creates a privacy issue because users may enter sensitive personal dates or events that are stored on disk unexpectedly and could later be accessed by other local users, backups, or tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal