ClawHub

Olympic Alert

Security checks across malware telemetry and agentic risk

Overview

This skill is a local Olympic event reminder with disclosed local state and schedule edits, and no evidence of hidden network, credential, or destructive behavior.

Install this only if you want Olympic-related trigger words and any configured heartbeat to run a local Python reminder checker. Be aware that add and remove commands modify the bundled schedule file, and pattern-based removal may delete more than one matching event.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation indicates file read/write behavior via `events.json` management and a persistent state file under `~/.config/olympic-alert/state.json`, but no explicit permissions are declared. Undeclared filesystem access weakens transparency and user consent, and can lead to unexpected modification of local data when the skill is invoked.

Vague Triggers

Medium
Confidence
74% confidence
Finding
Broad triggers such as `올림픽`, `Olympic`, and `밀라노` can cause the skill to activate in conversations that are merely discussing the Olympics rather than requesting schedule management or notifications. Because the skill has file write capability and stateful behavior, unintended invocation increases the chance of accidental local data changes or noisy execution.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents a `remove` operation that deletes schedule entries by name pattern matching, but does not warn users that local schedule data will be modified or that pattern-based deletion may remove multiple entries. In a conversational agent setting, this raises the risk of accidental or overly broad destructive changes to user-maintained event data.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal