ClawHub

Token Efficient Agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears useful for efficiency, but it encourages background pattern-learning and predictive preloading without clear user consent or privacy limits.

Install only if you are comfortable with the agent using this skill to anticipate future needs. Before enabling it, look for an explicit opt-in setting, limits to current-session context, and a way to disable or clear any learned patterns. The evidence does not show exfiltration or destructive behavior, but the privacy controls are under-specified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly recommends predictive preloading during lulls and learning user behavior patterns to anticipate future queries. In an OpenClaw environment with access to personal memories, documents, and calendar data, this normalizes proactive retrieval and profiling beyond the user’s immediate request, which can expose private data without clear necessity or consent.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The heartbeat optimization section advises background learning of user patterns and predictive preloading as a standing system behavior. That creates an unjustified surveillance-like capability for a token-efficiency skill, because it encourages ongoing behavioral inference and background processing that may touch sensitive personal data absent a live user request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill presents predictive access patterns as an efficiency optimization but does not warn that this may involve proactive access to personal memories, calendar cues, or other sensitive context. Without explicit notice and consent, users may be unaware that the agent is profiling behavior and prefetching personal data, undermining transparency and informed control.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal