ClawHub

Reminder

Security checks across malware telemetry and agentic risk

Overview

This reminder skill is coherent and disclosed: it saves reminder details in the workspace and schedules Telegram notifications, with privacy cautions users should understand before use.

Install only if you are comfortable with reminder titles, times, and notes being saved in the OpenClaw workspace and delivered through Telegram. Use explicit reminder commands, review the events.yml file and cron jobs periodically, and avoid putting highly sensitive details in reminder text.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The summary/description is broad enough that the skill could be invoked for ordinary conversation about plans, meetings, birthdays, or schedules without a clearly scoped user action. Because the skill writes to workspace storage and schedules Telegram notifications, over-broad triggering can cause unintended persistence and outbound messaging from casual chat.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill states that it stores events in a workspace file, but it does not present this as an explicit user-facing warning at the point of use. Users may disclose sensitive meetings, birthdays, deadlines, or personal notes without realizing the information will be persisted in a git-synced workspace, increasing privacy and data-retention risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill schedules Telegram notifications but does not clearly warn users that reminder content and timing will be sent through Telegram. This creates a privacy risk because sensitive calendar information may be transmitted to an external messaging channel, potentially exposing personal or work details beyond the local workspace.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal