ClawHub

Proactive Claw

Security checks across malware telemetry and agentic risk

Overview

This calendar assistant is not malicious, but it deserves Review because it can read broad calendar data, store local memory, and some paths can write or delete its action-calendar items without the approval language being fully enforced.

Install only if you are comfortable granting broad calendar access and keeping local productivity memory on disk. Start with dry-run and simulation commands, keep autonomy at confirm or advisory, avoid enabling the daemon, policy engine, relationship memory, or calendar editor until you understand their effects, and verify the Actions calendar plus local token/database files. Be aware that watched/ignored calendar filters are not consistently honored by every scan path in this version.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no explicit permissions while the documentation clearly indicates capabilities for shell execution, local file read/write, network access to calendar providers, and persistent state storage. This creates a transparency and consent problem: users and the platform cannot accurately assess the risk surface before installation, especially for a skill that can modify calendars and handle tokens.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description frames the skill as a productivity assistant, but the documented behavior includes materially sensitive actions: direct calendar modifications, persistent behavioral profiling, background scanning, and autonomous policy-driven scheduling. This mismatch can mislead users into granting trust without understanding the extent of automation, data retention, and side effects, increasing the chance of harmful or unauthorized changes.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The file goes beyond passive analysis and can modify the user's calendar by creating focus blocks. In an agent skill, hidden or under-disclosed write capabilities are risky because users may expect recommendations only, while invoking this path causes external side effects on personal scheduling data.

Context-Inappropriate Capability

Medium
Confidence
80% confidence
Finding
An energy predictor plausibly suggests time blocks, but directly writing calendar events is a privileged action that is broader than simple prediction. If this capability is not clearly justified and communicated, it increases the chance of over-privileged behavior and unexpected modification of user data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The import path trusts a user-supplied backup directory and performs bulk INSERT OR REPLACE operations into arbitrary tables listed in manifest.json, allowing overwrite of the skill's internal state without schema validation, table allowlisting, integrity checks, or confirmation. In the context of a proactive assistant that may act on stored memory/config-driven behavior, importing tampered backups could poison memory, alter behavior, or corrupt data persistently.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The file automatically creates follow-up calendar events based on inferred stale action items, which is a materially stronger capability than a generic productivity assistant description suggests. This can cause unauthorized or surprising writes to a user's calendar, especially because the action is derived from historical personal data and performed without an approval step in this code path.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The file implements autonomous multi-skill orchestration for high-stakes events, which materially exceeds the manifest's simple 'personal assistant' description. This hidden expansion of capability weakens informed consent and makes it easier for users to install a skill without realizing it can coordinate actions and data across other components.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code enumerates the global skills directory and changes behavior based on whether unrelated skills such as gmail or email are installed. In a plugin ecosystem, this is dangerous because it expands the skill's reach beyond its own boundary and creates undeclared coupling that can expose user data or trigger actions via other installed components.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The code derives and stores sentiment scores about identifiable contacts from meeting outcomes, then exposes those judgments through lookup and ranking features. This creates people-profiling data that is not obviously necessary from the skill’s broad productivity description and can lead to privacy harm, biased decision-making, and inappropriate retention of sensitive interpersonal assessments.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The briefing logic turns historical sentiment into evaluative tips such as calling contacts 'challenging,' which operationalizes subjective profiling into future decision support. In context, this increases the risk of unfair treatment, reputational harm, and misuse of inferred personal data during workplace interactions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The main scan path enumerates every non-OpenClaw calendar and reads events from each, which can exceed the user's expected data scope for a productivity assistant. This broad collection increases exposure of sensitive event titles, descriptions, attendees, and timing from calendars that may be personal, confidential, or unrelated to the skill's purpose.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The helper function's docstring claims watched/ignored calendar filters are respected, but the actual main execution path bypasses those controls and scans all non-OpenClaw calendars. This mismatch is dangerous because operators and users may rely on documented privacy boundaries that are not actually enforced.

Description-Behavior Mismatch

Low
Confidence
80% confidence
Finding
The Google setup path reads the primary calendar profile and stores the user's email in config.json even though email is not strictly necessary to create or locate the action calendar. This expands data collection beyond the minimum needed for setup and persists personal information locally, increasing privacy exposure if the config file is later accessed by other skills or users.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This planner automatically creates calendar events such as reminders, prep blocks, buffers, debriefs, and confirm-delete prompts based on scanned user events and policy rules, with no per-action user confirmation in the code path. In a productivity skill, silent calendar modification is security-relevant because it can manipulate schedules, create misleading entries, or be abused by malicious or buggy policy/configuration data to spam or interfere with the user's workflow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The clear_window path can delete calendar events immediately when called with --clear, with no built-in confirmation prompt or safety interlock beyond limiting deletion to the OpenClaw-managed calendar. In an agentic context, natural-language parsing mistakes or prompt/automation misuse could cause unintended bulk deletion of user data, making this more dangerous than a normal CLI helper.

Missing User Warnings

Medium
Confidence
71% confidence
Finding
The script persistently stores potentially sensitive notes, action items, sentiment, and follow-up metadata to disk and may additionally sync them into Apple Notes without any explicit consent, warning, or minimization. In a proactive assistant context that learns from user activity, this increases privacy risk because meeting outcomes and personal/professional data may be retained or replicated in locations the user does not expect.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The daemon persists calendar-derived notification messages and event identifiers to pending_nudges.json on disk, creating a local record of potentially sensitive user activity. In a proactive calendar assistant, this is more dangerous because the content can expose meeting names, schedules, and follow-up prompts even when the user may expect ephemeral notifications only.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The daemon writes logs and state files containing timestamps, notification messages, and event-tracking metadata to disk without any evident disclosure or consent flow. Given this skill continuously monitors user calendars and activity, those files can become a durable history of sensitive routines, meetings, and assistant actions that may be readable by other local processes or backup systems.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code creates calendar events immediately in create_focus_blocks() without obtaining confirmation at the point of the write. In agent contexts, lack of just-in-time confirmation can lead to unwanted or accidental changes to calendars, especially when suggestions are generated automatically from historical data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The backup import performs silent bulk writes to the live database and uses INSERT OR REPLACE, which can overwrite existing records without any user-facing warning, preview, or transaction rollback path exposed to the caller. This increases the chance of destructive or unintended state changes, especially because the skill stores long-term assistant memory and imported data may directly influence future actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic creation of calendar follow-up events occurs without any visible confirmation, warning, or approval gate in this file. That creates a safety and privacy issue because the system can take external actions on the user's behalf based on inferred intent from prior events, leading to unwanted scheduling, disclosure in calendar titles, or trust erosion.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The code persistently writes user-specific calendar linkage data to a SQLite database under the user's home directory without any in-code notice, consent flow, retention control, or visibility into what is stored. While this is not remote code execution or direct privilege escalation, it is a real privacy/security issue because the database contains behavioral metadata about the user's events and actions that could be exposed to other local processes, backups, or unintended operators.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code persists sensitive event metadata, open action items, pattern history, and email draft content into a local pending_nudges.json file without any notice, minimization, or access control. For a high-stakes event workflow, this creates a durable local record of potentially confidential business or personal details that could be exposed to other local users, backup systems, or later-compromised processes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code can autonomously create calendar events in `_execute_action` without any user-facing warning or real-time confirmation at the moment of execution. Although `evaluate_policies` supports advisory/confirm modes, the CLI path calls it without loading config, and autonomous policies are designed to execute once that mode is enabled, which can silently modify a user's calendar and create unwanted or disruptive entries.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists detailed event scoring history, including event IDs, titles, final scores, and explanation metadata, into a local SQLite database under the user's home directory with no access controls, minimization, retention enforcement, or user-consent flow visible in this file. In a productivity skill, these records can reveal sensitive behavioral patterns, calendar context, and inferred priorities, so local compromise, shared-machine access, backups, or other components reading the same workspace can expose private information.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal