ClawHub

Proactive Agent Local

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent proactive-memory agent, but it gives the agent broad ongoing access and autonomy that users should review carefully before installing.

Install only if you want a highly proactive, persistent agent. Before using it, restrict email/calendar access, disable or confirm any cron or sub-agent automation, require approval before cleanup actions, and review the memory files regularly for sensitive personal or credential-adjacent information.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (34)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly tells the agent to 'use every tool' including CLI, browser, web search, and spawning agents, which materially expands the execution surface beyond what is necessary for a memory/proactivity skill. In practice, this can cause an agent to invoke powerful capabilities or delegate tasks to sub-agents without clear least-privilege boundaries, increasing the chance of unsafe actions, prompt injection propagation, or data exposure.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The reverse-prompting section instructs creation of a weekly cron reminder, introducing autonomous scheduled behavior that persists beyond the immediate user request. Scheduled actions can generate unrequested outreach, operate in changed contexts, and continue running without fresh consent or review.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill authorizes broad external actions such as web searching, checking calendars, and generally working within the workspace without tying those capabilities to a narrowly scoped task. For a general 'proactive agent' skill, this materially expands surveillance and action surface area and can lead to unnecessary access to sensitive data or services beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The heartbeat behavior explicitly instructs the agent to monitor emails and calendars and decide when to reach out based on what it finds. This creates ongoing autonomous access to highly sensitive personal data sources, which is disproportionate to the stated skill description and risks privacy violations, behavioral profiling, and unexpected notifications.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The heartbeat directs the agent to close applications, manage browser tabs, and move files to trash as a routine behavior, even though the skill description does not establish user-authorized device administration. This expands the agent's operational scope into modifying the user's environment and can cause disruption, data loss, or unsafe interference with active work if executed automatically.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The checklist instructs periodic review of emails and calendar items, which introduces ongoing access to privacy-sensitive personal or business data without clear scope limitation or explicit user approval in the skill description. In a proactive agent context, this can normalize surveillance-like behavior and expose sensitive information beyond what is necessary for the current task.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The reverse-prompting guidance tells the agent to ask for additional information based on broad situational cues such as learning new context or sensing routine. That creates an open-ended trigger for soliciting more personal information than is necessary, increasing the chance of unnecessary profiling or collection of sensitive details without a clear task-bound need.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The curiosity loop explicitly uses conversation length as a trigger to ask 1-2 questions to fill gaps in understanding. Because the trigger is vague and not tied to user consent or operational necessity, it can pressure broad personal-data collection during ordinary chat and normalize ongoing profiling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow says the agent auto-populates persistent user files from answers and tracks progress across sessions, but it does not clearly warn users that their information will be stored long term. This can lead to uninformed collection and retention of personal data, especially if users assume the interaction is ephemeral.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The description advertises proactive check-ins and monitoring behavior without a clear user-facing warning that the agent may autonomously inspect files, logs, tabs, or system state. In practice, that can surprise users and expand the agent's operational scope beyond what they knowingly authorized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The WAL protocol directs the agent to scan every message and automatically persist corrections, names, preferences, decisions, and other specifics to SESSION-STATE.md before responding. This creates silent retention of potentially sensitive user data without notice, consent, minimization, or classification, making overcollection and accidental later disclosure more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The working-buffer protocol requires logging every exchange after a context threshold, including the human's full message and an agent summary, with 'no exceptions.' Comprehensive conversation capture without an explicit warning or consent model creates a substantial privacy risk and can preserve secrets, credentials, or sensitive personal content that appeared only transiently in chat.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill frames itself as acting proactively, anticipating needs, and creating value without being asked, but gives only limited scope constraints. Overbroad activation language can cause agents to initiate actions, collect information, or generate outputs in situations where user intent is ambiguous, increasing the chance of boundary violations and unsafe autonomy.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The WAL trigger scans every message for very common conversational elements like names, preferences, numbers, and corrections, which are ubiquitous in normal chat. Such broad matching encourages indiscriminate persistence of ordinary conversation into durable files, creating unnecessary privacy risk and memory pollution that can later affect decisions or disclosures.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The directive 'Don't ask permission. Just do it.' broadly encourages self-initiation before adequate authorization checks. Even though nearby text contains some guardrails, this kind of high-priority instruction can cause the agent to over-apply autonomy in ambiguous situations and bypass normal consent expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
These instructions authorize environment-changing actions such as closing apps, closing tabs, and moving screenshots to trash without warning the user that the skill may alter their system state. Even if framed as cleanup, silent modification of the user's workspace is risky because it may interrupt work, discard useful context, or remove files the user intended to keep.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The periodic review of emails and calendar involves privacy-sensitive sources, yet the skill provides no warning, consent flow, or handling constraints for that access. This is dangerous because an autonomously scheduled agent may ingest confidential messages, schedules, and third-party data outside the user's immediate awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This template explicitly prompts the collection and long-term retention of personal and potentially sensitive data such as important dates, relationships, preferences, and contextual background without any privacy guidance, minimization limits, or handling restrictions. In an agent memory system, this increases the risk of over-collection, accidental exposure, inappropriate reuse across contexts, and noncompliant retention of personal data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file tells the agent to copy onboarding answers into USER.md and SOUL.md, but it does not warn the user that personal information they provide will be persisted and replicated into other files. This creates an informed-consent and unnecessary data-sprawl problem: users may share names, timezone, goals, work context, and key relationships without realizing that data will be stored long-term in multiple locations.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The template explicitly invites users to document tool-specific configurations and credential locations, and even includes an example API key filename under a `.credentials/` directory. Although it says not to store credentials themselves, encouraging secret-related note-taking in a freeform operational document increases the chance that real secrets, token fragments, recovery details, or overly precise secret locations will be recorded and later exposed through prompts, indexing, or accidental commits.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This template prompts the collection of personal context such as name, timezone, relationships, preferences, projects, and life goals, but provides no guidance on data minimization, consent, storage, retention, or access controls. In an agent skill designed to make the AI more proactive, this increases the chance that sensitive profiling data will be gathered and persisted in ways the user does not fully understand, creating privacy and misuse risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file explicitly instructs the agent to persist onboarding answers and user details into local profile files, but it does not require clear user notice, consent, or limits on retention. That creates a privacy risk because sensitive or identifying information may be stored indefinitely and reused across sessions without the user understanding that persistence is happening.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The opportunistic learning section encourages collecting and storing incidental personal details inferred from normal conversation, such as location, preferences, relationships, and projects, without explicit notification. This is more dangerous in context because the collection is designed to be woven naturally into conversation, making the persistence less visible and increasing the chance of covert profiling.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to update persistent identity and user-context files as it learns from conversation, but it gives no minimization standard for what should or should not be retained. That can cause over-collection of personal or sensitive information and repeated reuse of data outside the original conversational context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The memory flush protocol encourages writing 'everything important' and, at high context usage, a 'full context summary' before the next response. This creates a strong incentive to persist large volumes of conversation content, including decisions, reasoning, and potentially secrets or sensitive personal data, into durable files where exposure risk is much higher.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal