ClawHub

Run Coach

Security checks across malware telemetry and agentic risk

Overview

This looks like a real running-coach skill, but it needs Review because its image feature can execute unescaped HTML while handling persistent fitness data and messaging it through Telegram.

Review carefully before installing. Use it only if you are comfortable giving it Telegram bot access and, optionally, Garmin account access. Keep tokens and passwords out of shared logs or repositories, avoid sending untrusted or HTML-like text through the image feature until escaping is fixed, and periodically review or delete MEMORY.md plus garmin/.garth and garmin activity files if you stop using the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Tp4

High
Category
MCP Tool Poisoning
Confidence
86% confidence
Finding
The skill handles sensitive integrations beyond a simple running coach: Telegram bot messaging, Garmin authentication, and likely local token persistence. If users are not clearly informed that credentials are stored and external services are contacted, they may expose secrets or personal fitness data without understanding the privacy and security implications.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This file implements outbound Telegram messaging, which is not clearly necessary for a running-coach skill described as training plans and Garmin sync. That creates an unnecessary external communication channel that could be repurposed to transmit user data or deliver unsolicited messages, especially because images and captions are sent to arbitrary chats.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Accepting a raw bot token and arbitrary chat ID from the command line turns this script into a generic Telegram exfiltration or messaging utility. In a larger agent environment, any component able to invoke this script could send files and captions to attacker-controlled destinations, bypassing intended data-flow restrictions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This memory file is explicitly auto-loaded every session and prompts the user to store sensitive personal and health-related data, including age, location, injury history, and race/training history, without any visible privacy warning, retention notice, or data-minimization guidance. In a coaching context this information is not inherently malicious, but persistent automatic loading increases the risk of over-collection, unintended exposure to downstream tools or logs, and privacy harm if the skill or platform is compromised.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The instructions tell users to store Garmin email and password as environment variables without a clear security warning about credential sensitivity, storage risks, or token persistence. This can lead to unnecessary exposure of a user's primary account credentials, especially in shared environments, logs, shell history, or misconfigured containers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends screenshots and captions to Telegram without any explicit user confirmation or clear notice at the point of transmission. This is dangerous because training plans or generated content may contain personal schedule, health, or location-adjacent information, and silently transferring it to an external service can violate user expectations and leak sensitive data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script sends user-provided title/content to Telegram using environment-supplied credentials without any user-facing notice or confirmation at the point of transfer. In a coaching context, generated plans may include personal schedule, health, or training details, so silent outbound transmission creates a real privacy and data-handling risk.

External Transmission

Medium
Category
Data Exfiltration
Content
process.exit(1);
}

const API = `https://api.telegram.org/bot${botToken}`;

if (pngFiles.length === 1) {
  // Single image: try sendPhoto, fallback to sendDocument
Confidence
84% confidence
Finding
https://api.telegram.org/

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal