ClawHub

Proactive Agent V2

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives a proactive agent broad memory, monitoring, cleanup, self-editing, and delegation authority without enough user control.

Install only if you intentionally want a persistent proactive agent. Before enabling it, require explicit approval for email/calendar access, browser or app cleanup, file deletion or trash moves, spawned agents, autonomous cron work, and edits to AGENTS.md, SOUL.md, USER.md, MEMORY.md, TOOLS.md, or skill files. Also set clear rules for what personal data may be stored, how long it is kept, and how to review or delete it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The skill explicitly encourages aggressive autonomy, including spawning agents and using every available tool before asking for help. In an agent environment, this increases the chance of unreviewed actions, privilege overreach, and unsafe execution paths that exceed a simple memory/proactivity helper's expected scope.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The autonomous cron section instructs use of isolated agent turns to perform work without human or main-session attention. That creates a genuine unsafe automation pattern: background execution can modify state, act on stale context, or amplify prompt-injection and misalignment issues without contemporaneous oversight.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
These rules authorize actions like web searches and calendar checks under a broad 'do freely' umbrella, extending the skill beyond its stated purpose of proactive improvement patterns. Even though some outbound actions require approval, the scope expansion increases access to potentially sensitive resources without clear task-bound justification.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The heartbeat workflow instructs the agent to inspect emails and calendar events proactively, which can expose sensitive personal or business information unrelated to the skill's core function. Because this occurs during routine polling, it normalizes repeated access to high-value data sources without explicit per-use consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Directing the agent to inspect email and calendar is not clearly tied to the stated proactive-agent purpose and creates unnecessary exposure to private communications and scheduling data. This mismatch matters because overbroad data access increases the chance of privacy violations, prompt injection through external content, and unintended autonomous decisions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Telling the agent to use 'every tool' including browser, web search, and spawned agents encourages broad capability use without task-specific constraints. This can lead to unnecessary exposure to untrusted content, privilege creep, and harder-to-audit autonomous behavior when the agent encounters blockers.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The heartbeat directs the agent to perform system cleanup actions such as closing apps, cleaning browser tabs, and moving files to trash, which are unrelated to the stated proactive-partner scope and can alter the user's environment. Even if framed as maintenance, these actions are state-changing and potentially destructive without explicit per-action consent or clear safety boundaries.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The proactive work section encourages periodic inspection of emails, calendar, and projects despite the skill description not establishing those data-access privileges. This expands the agent's operational scope into sensitive personal/work data and can normalize unauthorized monitoring behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The onboarding flow prompts the agent to collect broad personal, lifestyle, and relationship data such as goals, ideal life, work context, and key people. For a proactive-agent skill, some personalization is expected, but the scope is overly broad and not clearly minimized to what is necessary, creating unnecessary privacy and profiling risk if the data is retained, exposed, or reused outside the user's expectations.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file directs the agent to persist collected personal information into USER.md and SOUL.md, turning transient onboarding answers into long-term profile data. Persistent storage increases the chance of unintended reuse, overcollection, secondary use, and leakage of sensitive personal context across future interactions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to gather onboarding answers over time, persist progress, and auto-populate USER.md and SOUL.md with user information, but it does not include a meaningful privacy notice, data minimization guidance, retention limits, or user consent controls. This creates a real privacy risk because sensitive personal context can accumulate across sessions and be retained indefinitely in plain-language files.

Missing User Warnings

High
Confidence
97% confidence
Finding
The architecture overview states that TOOLS.md contains tool configurations, gotchas, and credentials, which normalizes storing secrets in a general workspace document. Plaintext credential storage in agent-accessible notes greatly increases the chance of accidental disclosure through logs, summaries, memory files, or prompt injection-driven exfiltration.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill defines a highly broad trigger that scans every message for common conversational elements like corrections, names, preferences, and decisions, then forces a state-changing action before responding. This creates an always-on behavioral hook that can over-collect sensitive user data and can be abused to persist prompt-injected or privacy-sensitive content without meaningful user awareness or consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start flow instructs the agent to auto-populate persistent profile files from user answers, but it does not present a clear, explicit warning that the answers will be stored long-term in workspace files. That creates a privacy and consent gap, especially because onboarding answers often contain personal preferences, goals, and other sensitive context.

Missing User Warnings

High
Confidence
99% confidence
Finding
The working buffer requires logging every exchange after a context threshold, including the user's message and an agent summary, without requiring consent or providing a privacy warning. This creates broad passive retention of potentially sensitive content and substantially increases the blast radius if the workspace is later exposed, searched, or reused by tools or sub-agents.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The WAL trigger scans every message for broad conversational cues like corrections, preferences, and proper nouns, then instructs the agent to persist them immediately. This can cause over-collection of sensitive or irrelevant data and makes it easier for benign or adversarial prompts to steer durable state updates unintentionally.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The compaction recovery logic auto-triggers on vague phrases such as 'continue' or 'where were we,' which are common in normal conversation. Overbroad triggers can cause unnecessary recovery routines, unintended file reads, and state restoration based on weak signals rather than clear operator intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The onboarding flow says the agent auto-populates USER.md and SOUL.md from the user's answers without presenting privacy, minimization, or consent safeguards. That is risky because it encourages persistent collection of personal context into local files that may later be searched, copied, or exposed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The instruction 'Don't ask permission. Just do it.' promotes autonomous action before establishing task scope or user intent boundaries. In a skill that also encourages reading memory and context files, this can cause unsolicited access to sensitive data and overreach beyond what the user expected.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The checklist instructs the agent to write memory and notes files immediately at session end, creating or modifying persistent records derived from user interactions without any warning or consent checkpoint. Persistent storage of inferred context increases privacy risk and may retain sensitive information longer than the user expects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The cleanup instructions authorize potentially destructive actions such as closing applications, closing browser tabs, bookmarking pages, and moving screenshots to trash without warning about impact on unsaved work or user state. This can cause data loss, disrupt workflows, and create actions the user did not explicitly request.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill suggests periodically checking emails, calendar, and projects without warning that these sources may contain sensitive personal, professional, or confidential information. Encouraging routine access absent notice or consent creates unnecessary privacy and confidentiality exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly prompts storing personal background, preferences, important dates, and relationship details in long-term memory without any notice about consent, data minimization, retention limits, or handling of sensitive information. In an agent skill designed to make assistants more proactive and continuously improve, this increases the likelihood of unnecessary collection and persistence of personal data that could expose users to privacy harm if accessed, misused, or retained too broadly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding instructions describe storing personal context for future proactive behavior but provide no warning or disclosure about data handling, retention, or sensitivity. This omission can mislead users into sharing more than they would if they understood the persistence and downstream use of their personal information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This template explicitly prompts the collection of personal profile data, relationships, goals, work habits, timezone, and freeform notes about a human without any guidance on data minimization, consent, retention, or secure handling. In a proactive-agent skill, this is more dangerous because the agent is designed to accumulate context over time, increasing the chance of oversharing, unnecessary profiling, and leakage of sensitive personal information into prompts, logs, or downstream tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal