ClawHub
Back to skill

Security audit

4to1 Planner

Security checks across malware telemetry and agentic risk

Overview

This is a coherent planning skill that connects to user-selected productivity tools, with real but disclosed credential and privacy caveats.

Install only if you are comfortable granting the selected backend access to your planning data. Prefer the local Markdown option for privacy, or use a least-privilege Notion integration shared only with the intended page. Protect ~/.config/4to1/config with restrictive permissions, avoid sharing or syncing it, and ask the agent to preview important changes before writing them to Notion, Todoist, or local files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README claims the AI can automatically read data from Notion and Todoist to track user progress, but it provides no warning about the scope of data access, consent expectations, or privacy implications. In a planning skill, those sources can contain sensitive personal schedules, goals, habits, and notes, so normalizing silent or poorly explained access increases the risk of over-collection and user surprise.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation phrases are broad, everyday requests such as 'What should I focus on today?' and 'Help me set up a planning system,' which can cause the skill to trigger unintentionally in unrelated conversations. Because the skill can then access or modify planning data and connected backends, accidental invocation increases the risk of unintended data reads/writes or external API actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs users to store plans and API credentials locally and to send planning data to Notion, Todoist, or Google services, but it does not provide an explicit privacy/security warning at the point of setup. Users may disclose sensitive life, career, financial, or health-related planning information without understanding that it will be persisted locally and transmitted to third parties.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script prompts the user for a Notion API key and then writes it directly into a config file under the user's home directory in plaintext. Any local process, backup system, shared account, or overly permissive file permissions could expose the token, enabling unauthorized access to the user's Notion workspace and planning data.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script collects the Todoist API token interactively and appends it to a plaintext config file without any notice or access-control hardening. If that file is readable by other users, indexed by tooling, or copied into backups/sync services, the token could be stolen and used to access or manipulate the user's task data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script directly sources a user-writable config file, which executes any shell code contained in that file with the privileges of the user running the script. If the config file is modified by another local process, installer, or attacker with access to the account, running this status check becomes an arbitrary code execution path.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template instructs the agent to pull personal productivity data from configured backends, including prior reviews, milestones, and behavioral lists, without any user-facing notice, confirmation, or data-minimization guidance. In a planning assistant context, this can expose sensitive behavioral and work information unexpectedly, especially if the review is triggered casually or in a shared environment.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.