ClawHub

Growth Guardian

Security checks across malware telemetry and agentic risk

Overview

This parenting skill is not malicious, but it asks an agent to create long-term files containing sensitive information about children and family life without clear privacy, retention, or deletion safeguards.

Review before installing. Use a dedicated private folder, avoid real names or school/medical details where possible, do not upload recordings unless you are comfortable processing them, and periodically delete or redact old records. This skill appears designed for local parenting notes rather than theft or damage, but it handles unusually sensitive information about minors.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list includes very common parenting phrases such as '孩子最近怎么样' and '周报', which can cause the skill to activate during ordinary conversation without the user intending to invoke it. In this skill, unintended activation is more concerning because activation can lead into collection, analysis, and storage of sensitive child and family information.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill instructs the agent to create child archives and persist sensitive developmental, behavioral, and family information, but it does not present a prominent privacy notice, consent flow, retention policy, or guidance on minimizing sensitive data. Because the data concerns minors, the context makes the privacy risk substantially more severe than routine note-taking.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill accepts audio recordings and conversation transcripts for psychological-style analysis without a strong privacy warning or consent checkpoint. Audio and transcripts can contain highly sensitive biometric, emotional, and family data about children, so ingestion without explicit safeguards materially increases exposure and misuse risk.

Ssd 3

Medium
Confidence
98% confidence
Finding
These instructions direct the agent to collect and persist detailed child and family information, including identifiers, household relationships, and developmental observations, into structured files. Centralizing this level of sensitive minor data increases the blast radius of accidental disclosure, unintended reuse, or oversharing, especially because the workflow encourages routine accumulation over time.

Ssd 3

Medium
Confidence
95% confidence
Finding
The reporting workflow instructs the agent to read and aggregate all logged child conversations and behavioral records into summaries, which can amplify privacy harm by resurfacing sensitive data across contexts. Even if intended as a convenience feature, broad aggregation increases the chance of exposing more sensitive content than the user expects in a single output.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal