ClawHub

Lofy Life Coach

Security checks across malware telemetry and agentic risk

Overview

This life-coaching skill is coherent and scoped to local goal and habit tracking, but users should know it stores personal routine data.

Install only if you are comfortable with a local goals file keeping records about routines, workouts, habits, career progress, and daily logs. Review or delete data/goals.json when needed, and avoid connecting calendar, fitness, or application context you do not want included in briefings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation description is broad enough to trigger on ordinary conversations about routines, goals, or daily planning, which increases the chance the skill runs without the user clearly intending to invoke persistent tracking behavior. In this skill's context, that matters because activation can lead directly to reading and writing personal behavioral data, making overbroad matching a privacy and consent risk rather than just a UX issue.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to persistently read and write a personal goals file but provides no user-facing notice, consent flow, or retention boundaries. Because the stored data includes habits, fitness activity, career progress, and daily logs, silent persistence creates a meaningful privacy risk and can surprise users who believed they were having a transient conversation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The natural-language parsing rules convert casual statements like 'I worked out' or 'Went to bed at 11' into persistent records automatically, without requiring confirmation that the user wants those statements logged. In this context, the danger is elevated because routine conversation can be silently transformed into a behavioral history containing health-adjacent, lifestyle, and employment-related data, creating privacy, profiling, and data integrity risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal