ClawHub

daily-reflection-journal

Security checks across malware telemetry and agentic risk

Overview

This is a local daily journaling guide that is coherent with its purpose, though users should know it may save sensitive reflections to dated markdown files.

Install only if you are comfortable with the agent asking reflective personal questions and saving entries locally. Check where `daily-reflection/YYYY-MM-DD.md` is created, whether that folder is synced or shared, and review or delete entries that contain sensitive personal information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger list includes broad, common phrases such as “回顾今天” and “today reflect”-style wording that may appear in normal conversation, increasing the chance of accidental invocation. While not directly enabling code execution or data exfiltration, unintended activation can cause the agent to steer users into reflective journaling flows unexpectedly and may expose sensitive personal content if the skill proceeds to save responses.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs saving highly personal reflection content to `daily-reflection/YYYY-MM-DD.md` without informing the user, requesting consent, or describing retention and storage behavior. Because reflection entries may contain sensitive emotional, interpersonal, or mental-health-related details, silent persistence to disk creates a real privacy risk if the device, workspace, or repository is shared or later exposed.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal