ClawHub

OpenAuto - Autonomous Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives an agent broad persistent memory and autonomous work habits with inconsistent consent boundaries.

Install only if you deliberately want a persistent, proactive agent and are comfortable curating its memory files. Before use, require explicit approval for email/calendar access, web or external actions, background agentTurn cron jobs, app/tab cleanup, and any file deletion or trashing. Do not store secrets, credentials, highly sensitive personal data, or unnecessary third-party relationship details in USER.md, MEMORY.md, daily notes, or working-buffer logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The file claims 'hardened security' while simultaneously admitting its safeguards are only advisory instructions and not enforced controls, yet it encourages autonomous and self-improving behavior. This can create dangerous overtrust: operators may assume technical containment exists when the skill actually relies on model compliance.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The startup disclosure says automatic reads are limited, but later instructions direct the agent to read additional files every session. This inconsistency undermines informed consent and can lead users to expose files believing they are on-demand only when the skill later treats them as routine reads.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The access disclosure lists some files, but the rest of the document instructs creation and routine use of additional notes, trackers, journals, heartbeat artifacts, and related paths. Omitting those paths masks the true persistence and collection footprint of the skill.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill description centers on memory and security patterns, but the instructions also encourage spawning sub-agents and autonomous cron execution. Those capabilities expand operational authority well beyond passive memory management and increase the chance of unintended actions or broader data handling.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The file says any network access or external actions require explicit user instruction or approval, but later also says the agent may 'freely' search the web and check calendars. That contradiction weakens the safety boundary and can lead the agent to initiate networked or privacy-sensitive actions without clear consent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat checklist authorizes broad workstation-management actions such as closing apps, cleaning browser tabs, and moving files to trash, which exceed the stated scope of a security-focused agent architecture. This creates capability creep and increases the chance an agent will take unapproved actions on the user's device under the guise of routine maintenance.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file instructs periodic review of emails, calendar, projects, and ideas, but the skill description does not disclose proactive access to sensitive personal productivity domains. This mismatch can cause users to grant or inherit access without understanding that the skill is designed to inspect private communications and schedules on its own initiative.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The checklist recommends potentially destructive cleanup actions, including closing apps and moving old screenshots to trash, without tying them to the stated purpose of the skill or requiring confirmation. In an autonomous heartbeat flow, these instructions could lead to unwanted data loss, interruption of user work, or deletion of files that were misclassified as disposable.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The WAL trigger tells the agent to scan every message for broad categories like preferences, proper nouns, decisions, and values, causing the skill to activate on ordinary conversation. This can lead to pervasive logging and behavioral takeover even when the user did not intend to engage memory capture features.

Natural-Language Policy Violations

Low
Confidence
78% confidence
Finding
The skill directs follow-up questioning in every conversation without opt-in, which can pressure users into disclosing more personal context than necessary. While not severe by itself, it contributes to overcollection when combined with the persistent memory features elsewhere in the file.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Permitting web and calendar access without warning or disclosure enables silent access to external services and potentially sensitive personal data. In an agent skill, that reduces user awareness and consent, especially because calendars and web sessions may contain authenticated or private information.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The instruction to read SOUL.md, USER.md, and daily notes silently at session start removes user visibility into automatic data access. Even if these are framed as internal context files, they may contain sensitive information, and silent ingestion can bypass meaningful user choice.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to 'configure your agent to poll this during heartbeats' is an open-ended trigger with no frequency, scope, or authorization boundaries. Broad recurring execution increases the risk of repeated autonomous actions, especially when later sections include system cleanup, memory operations, and access to personal data sources.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cleanup section includes instructions to close applications, prune browser tabs, and move screenshots to trash without warning the user or requiring confirmation. These are operationally risky actions in a periodic autonomous loop and can disrupt active work or destroy data without the user realizing the skill was empowered to do so.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The proactive work section encourages checking emails and calendar periodically without any privacy notice, minimization rule, or consent requirement. In context, this normalizes ongoing surveillance of highly sensitive personal data and could expose private communications, schedules, and relationships to unnecessary processing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This template explicitly encourages long-term storage of personal information such as background, preferences, important dates, relationships, and ongoing context, but provides no warning about sensitivity, retention limits, or handling requirements. In an agent memory system, this can normalize collection and indefinite retention of highly sensitive personal data, increasing privacy, compliance, and misuse risks if the memory store is accessed, exfiltrated, or over-collected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The onboarding flow explicitly states that the agent will persist gathered answers into USER.md and SOUL.md, but it provides no consent boundary, data minimization guidance, or warning that personal information will be stored in files. Because the questions solicit identity, timezone, work context, and key relationships, this can lead to unnecessary retention of sensitive personal data and unexpected modification of user-controlled files.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This template explicitly encourages the agent to accumulate detailed personal information about a user, including goals, relationships, preferences, and life context, but provides no guidance on data minimization, consent, retention, or handling of sensitive information. In an autonomous agent skill, this can lead to unnecessary collection and persistence of personal data, increasing privacy risk and the blast radius if memory, logs, or downstream tools are exposed.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The flow explicitly tells the agent to save onboarding answers into persistent memory files, but it does not require clear notice, consent, retention limits, or user control over what is stored. That creates a privacy risk because personal data may be collected and reused across sessions in ways the user does not fully understand or expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The 'opportunistic learning' section instructs the agent to infer and persist user details from ordinary conversation without an explicit disclosure at the point of collection. This is dangerous because it normalizes covert profile building from casual remarks, increasing the chance of overcollection and user surprise.

Ssd 3

Medium
Confidence
94% confidence
Finding
The WAL protocol instructs persistent capture of broad classes of user-provided content, including names, preferences, decisions, edits, numbers, dates, IDs, and URLs. This creates a durable record of sensitive conversational data and increases privacy risk, especially because the skill itself admits its guardrails are not technically enforced.

Ssd 3

Medium
Confidence
95% confidence
Finding
The working buffer mandates logging every exchange after a context threshold, creating bulk transcript retention. Even with a note not to copy secrets verbatim, this still stores extensive private conversational content on disk and meaningfully expands the exposure surface if the workspace is accessed by other tools, users, or future tasks.

Ssd 3

Medium
Confidence
86% confidence
Finding
The onboarding and growth-loop model encourages ongoing collection of user goals, preferences, and personal context over time. In a skill built around persistence and proactive behavior, this expands profiling risk and can normalize unnecessary long-term storage.

Ssd 3

Medium
Confidence
93% confidence
Finding
These instructions direct persistent storage and later reuse of user-provided personal details, but they do not define minimization boundaries, sensitivity exclusions, or purpose restrictions. Without those guardrails, the agent may accumulate more profile data than needed and continue using it beyond the user's expectations.

Ssd 3

Medium
Confidence
96% confidence
Finding
The drip-mode design encourages the agent to gradually extract profile information over time and record it in memory files. That pattern is risky because it can bypass a single clear consent moment and lead to incremental profiling that feels natural to the user but is still persistent surveillance-like behavior.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal