SkillHub Daily

Security checks across malware telemetry and agentic risk

Overview

The skill is purpose-built for daily SkillHub recommendations, but it needs review because it can read local memory/log context, reuse existing IMA credentials, and send reports to external systems on a schedule.

Install only if you are comfortable with the skill reading memory/log context for personalization and sending generated reports to the destinations you configure. Prefer Cron prompts with explicit pain points if you do not want memory scanning, use environment variables or a dedicated config for IMA credentials, avoid sharing credentials from other skills unless intentional, and verify Feishu/IMA/Obsidian destinations before enabling scheduled delivery.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to read broad memory sources, including recent daily logs, MEMORY.md, and GBrain content, to infer user pain points. For a recommendation workflow, this creates unnecessary access to potentially sensitive personal or work data unless the user has provided specific, informed consent for that mode and scope of scanning.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill includes credential discovery from environment variables and multiple config-file paths for IMA integration, expanding access to secrets beyond the immediate recommendation task. Even if intended for convenience, searching common secret locations increases the chance of unintended secret exposure or misuse if the skill or its downstream scripts are compromised.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The script intentionally searches credential files belonging to other skills and user tool directories (~/.qclaw and ~/.workbuddy) to obtain IMA API credentials. That is broader than necessary for this utility and creates a cross-skill secret access path: a skill that lacks its own credentials can silently reuse credentials provisioned for another skill, violating least privilege and potentially enabling unauthorized note or knowledge-base operations.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The trigger phrases shown in the README are very broad natural-language requests such as '每日推荐' and '帮我推荐技能', which can overlap with ordinary user conversation. In agent platforms that auto-route skills based on keyword matching, this increases the chance of unintended invocation, causing the skill to run scans, gather user pain points, or push results to storage channels without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README promotes automated scheduled execution and multi-channel storage, but it does not prominently warn users that pain points, recommendation content, and possibly derived preference/profile data may be transmitted to third-party platforms or persisted automatically. In an agent skill context, silent background execution plus external storage materially raises privacy and data-governance risk, especially when cron jobs run unattended.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The release notes advertise a natural-language installation trigger phrase ("帮我安装 skillhub-daily") that could plausibly appear in ordinary conversation and be interpreted as an actionable install request by an agent platform. In a skill ecosystem where conversational text can trigger tool use or package installation, this creates a prompt/command ambiguity that may cause unintended installation or activation.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The document describes Cron-based automated execution and multi-path credential lookup across local config locations without a prominent warning about privacy, persistence, or system-impact implications. In this skill's context, automated scheduled runs plus credential discovery can access local state repeatedly and may surprise users if they do not understand what data is scanned, which credentials are read, and when tasks run unattended.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The user-facing description and early workflow do not prominently warn that personalization may involve scanning memory files and recent logs. This undermines informed consent, especially because the skill presents itself as a recommendation tool while later requesting access to sensitive contextual data for profiling.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs users to place API credentials in references/config.json but does not clearly warn that this file contains secrets, should be excluded from version control, and must be protected with restrictive filesystem permissions. In a skill intended for automation and cross-platform use, this omission increases the chance of accidental credential exposure through commits, backups, shared folders, or overly broad local access.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger list includes broad everyday phrases such as '帮我推荐技能' and '看看有什么好 Skill', increasing the chance of accidental activation during normal conversation. In this skill, accidental activation is more dangerous because execution may scan MEMORY.md and recent logs, then generate and store or push a report to external channels without a clearly documented confirmation step.

Vague Triggers

Medium

Confidence: 80% confidence
Finding: The phrase '等触发词' leaves activation boundaries undefined, which can cause the agent or platform to interpret loosely related user input as consent to run the skill. Because this skill can inspect memory and logs and perform outbound pushes, ambiguous activation increases the risk of unintended data processing or disclosure.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The document explicitly states that the skill scans MEMORY.md and recent logs, extracts user pain points, and may store or push summaries to external systems, but it does not present a prominent privacy warning, consent flow, or data minimization guidance. In this skill context, that is dangerous because memory and logs can contain sensitive personal or organizational data that may be transmitted off-platform or persisted in third-party knowledge bases.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The cron example automates external delivery to Feishu/WeChat/knowledge-base channels and instructs the agent to use embedded pain points and knowledge base identifiers, yet it omits meaningful warnings about automatic outbound data transfer, confidentiality, or misdelivery risk. Scheduled unattended execution makes this more dangerous than an interactive flow because sensitive content can be sent repeatedly without real-time human review.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal