ClawHub

Proactive Agent Skill

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not malware, but it needs review because it encourages persistent memory, recurring agent tasks, and private account checks without clear limits.

Install only if you are prepared to configure it narrowly. Before enabling it, decide exactly what may be remembered, which accounts or folders may be checked, whether any cron jobs may run after the session, and how to review, disable, and delete saved memory. Do not allow it to store credentials, tokens, regulated personal data, or confidential business content without explicit controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad and generic enough that the skill could be invoked in situations where the user did not clearly intend to enable persistent memory, automation, or scheduled actions. In this skill's context, accidental activation is risky because the skill promotes proactive behaviors, logging, and cron-based automation that can have side effects beyond a single response.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The heartbeat checks explicitly mention reviewing email, calendar, weather, and system status, which implies recurring access to potentially sensitive personal and operational data. Without prominent consent, scope limits, and disclosure of side effects, users may not understand that the skill encourages ongoing monitoring behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The architecture describes autonomous crons, working buffers, and persistent memory files without clearly warning that the pattern can modify files and perform unattended recurring actions. In practice, this increases the chance that operators adopt the pattern without understanding persistence, retention, and automation risks.

Ssd 3

Medium
Confidence
97% confidence
Finding
The working buffer is described as capturing every exchange in a danger zone log, which naturally encourages bulk retention of user prompts, agent outputs, and possibly secrets or personal data. Persistent natural-language logs are difficult to sanitize consistently and can later be exposed through file access, indexing, backups, or reuse by downstream tasks.

Ssd 3

Medium
Confidence
97% confidence
Finding
The WAL workflow directs logging all critical exchanges and curating them into persistent memory, creating an explicit pipeline for long-term storage of potentially sensitive conversational content. Because this is framed as a core workflow, the skill context makes the retention risk more serious rather than incidental.

Ssd 3

High
Confidence
99% confidence
Finding
The instruction to 'log everything' materially increases the likelihood that sensitive inputs, credentials, internal system details, and private user content will be written to persistent storage. In a skill centered on memory persistence and autonomous operation, this guidance is especially dangerous because it normalizes indiscriminate retention as a best practice.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal