ClawHub

Daily Dev Agentic

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it gives the agent recurring autonomous authority without enough user checkpoints.

Install only if you explicitly want an agent to maintain a daily.dev learning feed, use a DAILY_DEV_TOKEN, write local memory files, fetch third-party articles, and potentially create cron jobs. Before using it, confirm where the memory directory lives, how to remove or disable scheduled jobs, whether proactive sharing is acceptable, and whether feed/tag changes should require approval.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill explicitly allows autonomous refinement of tags, learning goals, and configuration without user approval. In a learning/knowledge-management context this is adjacent to the intended purpose, but it still expands agent behavior by letting it reshape future inputs and priorities on its own, which can cause drift, unwanted monitoring, or persistence of bad decisions over time.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger description is overly broad and can cause the skill to activate in situations only loosely related to learning or knowledge management. That increases the chance of unintended autonomous execution, including network activity, file writes, and scheduled task creation without clear user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill explicitly directs autonomous setup of feeds, local memory files, and cron-based recurring tasks with 'No confirmations' and 'autopilot' behavior. This is dangerous because it authorizes persistent system changes and recurring execution without an explicit approval boundary, which can lead to unintended resource use, state changes, or abuse if the skill is triggered unexpectedly.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The learning loop instructs the agent to fetch full articles and perform additional web research proactively, but it does not warn that this may transmit browsing metadata, access third-party domains, or retrieve untrusted external content. In an autonomous skill, omission of that privacy and trust-boundary warning makes the behavior riskier because users may not realize the extent of outbound activity.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases include broad natural language like 'learn something' and 'check your feed,' which can overlap with ordinary conversation and unintentionally activate autonomous network access and file writes. In this skill, accidental invocation is more dangerous because the workflow performs external fetching, note creation, state updates, and possible owner notifications without confirmation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file states the loop runs autonomously with 'No confirmations, no pauses' while later instructing the agent to append notes and update state files. That means data-changing behavior can occur without a clear user-facing warning or consent boundary, increasing the risk of silent state mutation and hard-to-audit persistence.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill performs authenticated API calls to daily.dev and fetches arbitrary post URLs, but the user-facing description does not clearly warn that invoking the skill causes outbound network requests and potential sharing behavior. This matters because external transmission plus autonomous operation increases privacy, trust, and supply-chain risk from remote content.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal