待办事项追踪

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward local todo-list skill that saves tasks on the user's computer and does not show network, credential, or hidden behavior.

Safe to install for local todo tracking. Avoid putting passwords, tokens, or highly sensitive personal details in todo text because tasks are stored locally in ~/.qclaw/workspace/todos.json until the file is deleted or edited.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Low

Confidence: 89% confidence
Finding: The markdown notes that todos are stored in ~/.qclaw/workspace/todos.json, but it does not clearly warn users that their task data will be persistently written into their home directory. Persistent storage of potentially sensitive task content can expose private work details, especially on shared systems or where users assume the tool is ephemeral.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal