ClawHub

Marathon Clip

Security checks across malware telemetry and agentic risk

Overview

This running recap skill is mostly coherent, but it needs review because it handles sensitive workout/location data and can send the generated video to a hard-coded Telegram recipient.

Install only if this is your personal workflow and you understand the data paths. Before running it, verify the sahi-diet database and Garmin credentials are yours, remove or replace the hard-coded Telegram recipient, avoid the residential-proxy music guidance, and enable weekly cron delivery only after confirming where each MP4 will be copied or posted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill metadata frames this as a simple local video-rendering utility, but the body also documents fetching GPX tracks from Garmin, optional Telegram/OpenClaw delivery, and copying artifacts into an outbound media directory for further transmission. That mismatch matters because it hides network access, handling of sensitive location/fitness data, and exfiltration-capable delivery behaviors that users or operators may not expect from the declared purpose alone.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script is hard-wired to read workout data from a different local project's SQLite database under the user's home directory rather than from an explicit input owned by this skill. In the context of a video-rendering skill, cross-project data access creates an unjustified data boundary violation and can expose private fitness notes and activity history without clear user consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This script reaches into another local application's workspace and database, which exceeds the stated purpose of generating a marathon recap clip. That makes the skill capable of harvesting data from outside its expected scope, and if run in an agent environment with filesystem access, it could silently pull sensitive user data from unrelated projects.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The script reaches outside the stated video-rendering scope by reading another project's SQLite database and then using those records to drive external GPX retrieval. In a skill advertised as rendering recap videos from per-workout data, this cross-project data access materially expands privilege and data exposure, making the skill capable of harvesting activity history without clear user consent.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code loads credentials from another project's .env file and authenticates directly to Garmin, giving the skill credentialed access to a third-party account. That is a sensitive capability unrelated to simple media rendering and could be abused to access or exfiltrate private fitness data beyond what the user intended to provide.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The script's primary stated purpose is rendering a recap video, but it also includes an optional outbound messaging path that sends the rendered file to Telegram. Adding data exfiltration or sharing behavior outside the documented core function increases risk, especially because the recipient is fixed in code and the usage header does not clearly disclose that media may be transmitted off-device.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
A hard-coded Telegram send target in a video-rendering skill is not justified by the declared functionality and creates an unauthorized data transfer path. Because the destination is fixed and not user-controlled, the rendered video can be silently sent to a third party whenever the flag is used, which is highly suspicious in this context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill processes highly sensitive personal data, including workout history and GPS tracks, yet the description does not clearly warn about the privacy implications of collecting, rendering, storing, and optionally delivering that data. This can lead users to expose precise movement patterns, home/work locations, and health-related metadata without informed consent or proper safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file explicitly advises using a residential proxy to work around provider blocking and hotlinking restrictions. That guidance encourages bypassing access controls or platform anti-abuse measures, which can expose users to policy, legal, and operational risk and normalizes evasion behavior inside an automation skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Sensitive Garmin credentials are consumed silently from local environment configuration with no user-facing disclosure or consent boundary. Even if the data use is intended for generating video tracks, hidden credential use undermines informed consent and increases the chance of unauthorized account access in shared or agentic environments.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script sends activity identifiers to Garmin and downloads GPX files without explicit disclosure, creating an undisclosed outbound data flow tied to the user's exercise history. In a recap-video skill, this hidden network behavior is riskier because users may reasonably expect local rendering from supplied workout data rather than remote account synchronization.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The Telegram upload sends the generated MP4 to a fixed recipient without any explicit warning in the script header or normal usage text, undermining informed user consent. In the context of a fitness recap tool, the video may contain sensitive workout history or location-derived content, so undisclosed transmission to an external party is a meaningful privacy and security issue.

Session Persistence

Medium
Category
Rogue Agent
Content
### Automated weekly delivery (optional)

If you use the OpenClaw cron system, register a job to run `scripts/weekly.sh` every Monday 09:00 in your timezone. Manage it via:

```bash
openclaw cron list
Confidence
80% confidence
Finding
register a job to

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal