ClawHub

Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it gives a proactive agent broad persistent-memory, background-work, local-cleanup, and email/calendar-checking authority without enough user control.

Install only if you intentionally want a persistent proactive agent. Before enabling it, remove or constrain BOOTSTRAP.md auto-follow/delete behavior, require explicit opt-in for heartbeats and autonomous crons, disable local cleanup unless confirmed per action, scope any email/calendar access, and define what memory may be stored, reviewed, redacted, and deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (29)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill expands the agent’s operating scope beyond memory/proactivity into broad tool use, including CLI, browser, web search, spawned agents, and scheduled behavior. Even if framed as productivity guidance, this increases attack surface and can cause the agent to take risky actions or process untrusted content with tools that were not narrowly justified by the stated purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill encourages using browser, web search, CLI, and spawned agents broadly as part of 'relentless resourcefulness' without tight task-scoping or approval boundaries. That expands the agent's operational surface beyond the manifest's core promise and can lead to unnecessary exposure to untrusted content, tool misuse, or data leakage during troubleshooting.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
This section explicitly promotes autonomous cron-driven isolated agent turns that can execute background work without main-session attention. Autonomous background execution materially changes the risk profile by enabling unattended reads/writes and potentially compounding mistakes or prompt-injection effects without contemporaneous user review.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat directs the agent to perform system-level cleanup actions such as closing applications, managing browser tabs, and cleaning the desktop, which expands behavior from proactive assistance into autonomous endpoint manipulation. In a recurring heartbeat context, this can cause unintended interference with user workflows or loss of unsaved context, especially because the actions are framed as routine rather than requiring explicit approval.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Instructing the agent to periodically check emails and calendar introduces ongoing access to sensitive personal and professional data beyond the core 'proactive partner' description. Because this is framed as periodic background work, it normalizes surveillance-like behavior and increases the chance of privacy violations, overcollection, or acting on sensitive information the user did not intend to expose continuously.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The skill markets itself with broad proactive behavior like anticipating needs, monitoring what matters, and creating value without clear activation boundaries. In an agent framework, this can cause the skill to engage in ordinary conversations and expand behavior beyond the user's explicit request, increasing the risk of unintended actions or intrusive data collection.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Reverse prompting is triggered by subjective conditions like 'when things feel routine' and 'natural conversation lulls,' which are not reliably bounded. That ambiguity can cause the agent to solicit extra information or initiate workflow changes in contexts where the user did not ask for proactive engagement, increasing privacy and scope-creep risk.

Vague Triggers

Low
Confidence
85% confidence
Finding
The curiosity loop uses an imprecise 'long conversation' trigger to prompt additional personal questions without defining duration, relevance, or sensitivity limits. While less severe than direct action-taking, it still encourages unsolicited information gathering that can exceed the user's expectations.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The WAL trigger tells the agent to scan every message for very common patterns such as names, preferences, decisions, edits, and numbers, then to stop and write immediately. Because these triggers are extremely broad, the behavior will activate on ordinary conversation and can lead to excessive persistence, unintended side effects, and increased likelihood of storing sensitive or irrelevant data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start flow instructs the agent to auto-populate USER.md and SOUL.md from onboarding answers without a clear privacy notice or consent boundary for what will be retained. That creates a risk of collecting and persisting personal context by default, including information the user may not expect to become long-term profile data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The working buffer protocol instructs the agent to append every exchange after 60% context, including the human’s message and an agent summary, without an explicit warning that near-complete conversation content may be persisted. This creates a significant privacy and retention risk because sensitive content may be logged automatically during routine use.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The WAL trigger tells the agent to scan every message for many common conversational patterns and persist them before responding. This is overly broad activation logic that can capture incidental or sensitive information far outside what is necessary for the current task, increasing privacy and retention risk.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The compaction recovery auto-triggers include vague conditions such as 'you should know something but don't,' which can cause the agent to initiate broad recovery behavior unpredictably. Ambiguous triggers can result in unnecessary file reads and overcollection of context when a simple clarification would be safer.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding flow says the agent auto-populates USER.md and SOUL.md from user answers, but it does not pair that with a clear warning about persistence, sensitivity, or review before write. That creates a risk of storing personal, preference, or identity data without informed consent or minimization.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The instruction 'Don't ask permission. Just do it.' encourages autonomous action before establishing task scope or obtaining user consent. In an agent skill designed to read context files and act proactively, this can cause unauthorized access to sensitive local data and actions the user did not explicitly request.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file instructs the agent to automatically read personal context sources such as SOUL.md, USER.md, daily memory files, and MEMORY.md every session without an explicit consent check. These files may contain private or unrelated information, so mandatory background access expands data exposure and can violate least-privilege expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instruction to move old screenshots to trash and flag unexpected files is a potentially destructive file-management action without any safeguard, approval step, or definition of 'old.' An autonomous agent following this guidance could delete or misclassify valuable files, creating data loss or disrupting forensic visibility into unexpected artifacts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file recommends recurring checks of emails and calendar without any privacy notice, consent model, or sensitivity boundaries. That omission is dangerous because these sources commonly contain confidential, regulated, or intimate information, and routine access by an agent can exceed user expectations and create substantial privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow explicitly tells the agent to copy user-provided personal context into USER.md and SOUL.md, but it does not warn the user that sensitive information may be persisted across files. Because the questions solicit identity, timezone, work context, key people, and preferences, this creates a real privacy risk of over-collection and silent retention of personal data beyond the onboarding session.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The template explicitly tells users to document where credentials are stored and gives a concrete example path, but it does not warn against placing secrets in the markdown file itself or describe safe secret-handling practices. In an agent-oriented skill, this can normalize insecure secret management and increase the chance that users copy actual tokens into documentation or expose sensitive filesystem locations to downstream tools or logs.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to persist user answers into ONBOARDING.md, USER.md, and SOUL.md, but it does not require informed consent, minimization, retention limits, or disclosure of how that data will be used. Because onboarding questions are designed to collect personal preferences, goals, relationships, and potentially sensitive traits, silent persistence creates a privacy and profiling risk that could expose users to over-collection or unintended downstream use.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The opportunistic learning section directs the agent to infer and record personal details from ordinary conversation into USER.md and to mark onboarding questions as answered without explicitly telling the user that persistent profile building is occurring. This is more dangerous in context because the skill is designed to make agents increasingly proactive over time, so undisclosed accumulation of timezone, communication preferences, social relationships, and project details can create covert long-term profiling and increase the blast radius of any data leak or misuse.

Ssd 3

Medium
Confidence
96% confidence
Finding
This section instructs the agent to broadly persist decisions, action items, open questions, and anything important into daily notes and memory files, with aggressive flushing as context grows. Persistent capture of broad conversation context can create unnecessary retention of sensitive user data, secrets, or regulated information, especially if the workspace is not strongly access-controlled.

Ssd 3

Medium
Confidence
95% confidence
Finding
The onboarding flow explicitly tells the agent to learn from conversation over time and populate USER.md and SOUL.md from user answers, including in drip and opportunistic modes. This creates a structured mechanism for collecting and storing personal profile data persistently, even when the user may not realize how much is being retained.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persisting every exchange in a danger-zone log creates a natural-language data retention surface that may contain credentials, personal details, business context, and sensitive prompts. Even absent malicious intent, broad logging materially increases the impact of workspace compromise, accidental sharing, or downstream misuse of the saved files.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal