ClawHub

Daily Reminder

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local reminder/countdown skill whose persistence is aligned with its purpose, but users should know it saves personal schedule data locally.

Install only if you are comfortable with reminder and anniversary details being saved in local JSON files. Review where those files are stored, avoid entering highly sensitive personal details, and prefer versions that let you list, edit, export, and delete saved data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger keywords are very broad and overlap with ordinary conversation such as ‘提醒’, ‘倒计时’, and ‘纪念日’. This can cause accidental invocation of the skill, which may lead to unintended processing or storage of personal scheduling information even when the user did not explicitly mean to use this skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly states that reminders, countdowns, and anniversaries are stored persistently in local JSON files, but the user is not informed at interaction time that their data will be saved. Because this data can include sensitive personal schedules and relationship details, silent retention creates a privacy risk and may violate user expectations or platform data-handling requirements.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists user reminder, countdown, and anniversary content to local JSON files without any notice, consent flow, retention policy, or access controls. Because these entries can contain sensitive personal schedules or dates, silent persistent storage creates a privacy risk if other local processes, users, or future skill executions can read the data.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal