ClawHub

Home Todo

Security checks across malware telemetry and agentic risk

Overview

This is a transparent home-reminder skill that uses a local todo file, though users should understand it can surface persistent reminders in Dashboard chats.

Install only if you want Dashboard conversations to automatically include reminders from a persistent local home-todo file. Avoid saving sensitive household or personal details there, and periodically review or clear ~/.openclaw/workspace/.home-todos.md if cross-channel reminder memory is not desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

High
Confidence
97% confidence
Finding
The skill is configured to auto-trigger on any Dashboard message, regardless of whether the message is related to home tasks. That creates an overbroad interception pattern where unrelated conversations will consistently cause file reads and behavioral modification of responses, increasing privacy exposure and the chance of surprising or unauthorized data use.

Vague Triggers

High
Confidence
95% confidence
Finding
The instruction to record tasks when the user says '回家要干xxx' in any channel is overly broad and ambiguous, potentially collecting data from unrelated communication platforms without context-sensitive consent. This can lead to cross-channel data aggregation and persistent storage of personal information the user may not expect to be copied into a local reminder file.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill describes persistent storage of tasks inferred from messages across channels but does not warn the user that these items will be written to a file. This lack of notice undermines informed consent and can cause users to unknowingly disclose sensitive personal routines, household details, or reminders into persistent storage.

VirusTotal

49/49 vendors flagged this skill as clean.

View on VirusTotal