ClawHub

Session Task Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a local task tracker that openly keeps persistent task notes, with privacy caveats but no evidence of hidden access, exfiltration, or destructive behavior.

Install only if you want the agent to keep local task notes across sessions. Review the tasks directory periodically, and avoid storing passwords, tokens, private account details, sensitive links, or confidential configuration values in these plaintext files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill is configured to trigger on very common conversational patterns such as new tasks, status questions, and session starts, which creates a real risk of unintended activation. Because the skill writes persistent task files, accidental firing can silently capture and store conversation-derived information that the user did not explicitly intend to persist.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persistently stores task context across sessions but does not clearly warn users that their conversation content may be written to disk. This undermines informed consent and can lead to retention of sensitive project details, links, accounts, constraints, or other private information beyond the current session.

Session Persistence

Medium
Category
Rogue Agent
Content
### Creating a New Task

1. Create `tasks/{task-name}.md` using the template above
2. Add entry to `_INDEX.md` under 进行中
3. Confirm creation with user

### Updating a Task
Confidence
94% confidence
Finding
Add entry to

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal