ClawHub

Nooks: Places worth revisiting

Security checks across malware telemetry and agentic risk

Overview

This is a coherent place-notes skill that stores local markdown files and optionally enriches them with web or Google Places lookups, with privacy caveats but no evidence of deception or unsafe behavior.

Install this only if you want your agent to keep durable local records of places you visit or may revisit. Keep mind/nooks private, avoid saving sensitive locations, restrict any Google Places API key, and only enable image lookup, Haah dispatch, or heartbeat/cron reminders if you are comfortable with the added data sharing or recurring prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description is broad enough to activate on routine conversation about places, eating, or working in a city. Over-broad invocation increases the chance the agent will perform searches, create files, or prompt for persistence when the user did not intend to use this skill.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The core behavior instructs the agent to react to casual mentions like visiting somewhere in passing or saying a place had bad wifi. That ambiguity can cause unsolicited data collection, follow-up prompting, and file modifications based on conversational context rather than explicit user intent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill tells the agent to create directories and files on first use without requiring an explicit warning that workspace data will be modified. Silent persistence in the workspace is risky because users may not realize ordinary conversation can lead to durable local state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill directs web searches, API calls, and image searches using place and city data without a user-facing privacy notice or consent step. Even if the data seems low sensitivity, external lookups can disclose user interests, travel patterns, or private routines to third-party services.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal