ClawHub

macOS Notification Reader

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says by reading and saving local macOS notifications, but it needs broad Full Disk Access and can persist sensitive message and work data without strong controls.

Install only if you are comfortable granting Python Full Disk Access and saving notification contents to local OpenClaw memory files. Prefer manual runs before cron, narrow the scripts to the apps and time windows you actually need, review and delete generated logs, and revoke Full Disk Access when you stop using it. I found no artifact-backed evidence of network exfiltration or destructive behavior; VirusTotal was pending and the static scan was clean, so the Review verdict is based on broad local permission and persistent sensitive-data handling rather than malware evidence.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (5)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to grant Full Disk Access and then export notification contents without an explicit, prominent privacy warning about the sensitivity of messages, sender data, calendar items, and other personal/work content that will be copied to markdown files. This creates a real privacy risk because users may enable broad OS permissions and persist sensitive data to disk or automation pipelines without understanding the consequences.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest explicitly requests Full Disk Access to read the macOS notification database, which can expose highly sensitive personal and work data such as message previews, email subjects, calendar alerts, and other application notifications. The description presents this as a productivity feature but does not warn users about the breadth of data access, retention risks, or the sensitivity of notifications from apps like WeChat, Teams, and Outlook, increasing the chance of uninformed consent and privacy harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accesses highly sensitive macOS notification content and persists it to a plaintext file on disk, potentially exposing message previews, emails, calendar data, and other private information. In a skill context this is more dangerous because it normalizes bulk collection of user notifications and stores them in a reusable location without explicit consent, warning, minimization, or protection controls.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists notification contents from work-related apps into a markdown file under the user's home directory, which can retain sensitive message previews, names, or requests beyond their original transient notification lifecycle. This increases exposure to local compromise, accidental disclosure, syncing/backup leakage, and unauthorized later access because the data is stored without consent flow, minimization beyond truncation, or retention controls.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The script invokes an external helper to read recent system notifications, which can expose sensitive information from messaging and email apps even when users do not expect those notifications to be harvested programmatically. In this skill context, the script specifically targets work-related apps, making the collected data more likely to include confidential corporate communications, requests, and personal identifiers.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal