ClawHub

Ai Daily Briefing.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent daily briefing helper, but it may surface private tasks, notes, memory, and calendar details when invoked with broad everyday phrases.

Install only if you are comfortable with the assistant reading local productivity files and connected calendar context for briefings. Prefer explicit prompts like "daily briefing" or "run my morning briefing," and avoid enabling calendar or memory sources if those files contain information you do not want summarized in chat.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad enough to match ordinary conversation such as 'start my day', 'what do I need to know?', or 'give me the rundown', which can cause the skill to activate unexpectedly. In this skill, unintended activation is more sensitive because the skill is designed to read personal workspace sources like todo lists, meeting notes, memory files, and calendar data, potentially surfacing private information without an explicit, narrow user request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to read potentially sensitive sources including todo.md, meeting-notes/, MEMORY.md, memory/[today].md, USER.md, and calendar data, but the user-facing description does not clearly warn that these files and integrations may be accessed. This reduces informed consent and increases the risk of unexpected disclosure of private schedules, notes, preferences, or persistent memory content during a routine 'briefing' request.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The example uses a very broad single-word trigger, "briefing," which is likely to appear in normal conversation and can cause unintended skill activation. In a productivity assistant that may aggregate tasks, calendar items, and meeting-note context, accidental invocation can surface sensitive personal or business information at the wrong time or in the wrong conversational context.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The phrase "what's today look like?" is ambiguous, conversational, and likely to be used in ordinary dialogue even when the user is not intending to invoke this skill. Because the skill output may include calendar details, overdue items, and meeting-derived context, accidental activation can disclose private scheduling and work information.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger "what's overdue?" is overly broad and could match many general conversations about deadlines, billing, or project status. In this skill, such activation would reveal overdue tasks and related work items, which may expose sensitive operational or client information without a sufficiently explicit user request for this skill's data.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The quick-start examples include very broad, natural phrases such as "what's on my plate?" and "start my day" that a user might say in ordinary conversation without intending to invoke this skill. In a voice or chat-routed assistant environment, this raises the risk of accidental skill activation, which could expose personal calendar, task, or meeting-derived context when the user did not explicitly request this specific skill.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal