ClawHub

Proactive Tasks

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local task manager, but it should be reviewed because it enables recurring autonomous work and writes shared workspace memory/state files without tight controls.

Install only if you intentionally want a persistent autonomous task manager. Before enabling heartbeat or cron, restrict it to named approved projects, require approval for external or irreversible actions, avoid secrets or sensitive business details in task notes, and periodically review or clear SESSION-STATE.md and memory files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to read and write multiple workspace files (`SESSION-STATE.md`, `working-buffer.md`, WAL logs, `data/tasks.json`) and to invoke scripts, but it declares no corresponding permissions. This mismatch weakens security review and user consent because the skill appears less privileged than it actually is, while enabling persistent state changes and data access.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script intentionally reads and writes persistence artifacts outside its dedicated task data store, including workspace-level memory and session-state files. In an autonomous agent skill, this expands the blast radius from task bookkeeping to broader agent state manipulation, enabling unintended cross-context persistence, prompt/state poisoning, or overwriting of files other components may trust.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The health-check routine is not read-only: it silently mutates task records and persists repairs. A command named as a diagnostic check can therefore change execution state, timestamps, and progress data, which is dangerous in autonomous systems because merely inspecting state can alter future agent behavior and hide underlying corruption or tampering.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
When progress is set to 100%, the code sets status to in_progress instead of completed, creating an impossible state. In a proactive task manager, this can cause the agent to continue acting on finished work, misreport completion, trigger repeated actions, and corrupt workflow decisions that depend on task state semantics.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly instructs autonomous processes to write memory files and logs in the workspace during background execution, but it does not include any user-facing consent, scoping, or safety guidance about modifying local files. In a proactive/autonomous skill, silent background writes are risky because they can change project state, create persistent artifacts, or leak operational details without the user's awareness.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The cron example appends command output to memory/daily-health.log in the background, creating ongoing autonomous writes without any accompanying warning or consent language. Because this runs on a schedule, it can continuously accumulate sensitive operational data or overwrite expectations about when the agent is allowed to modify the workspace.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README explicitly instructs heartbeat-driven autonomous execution of task-management commands and encourages the agent to 'work for 10-15 minutes' without a corresponding warning that the skill will read and modify persistent local state in tasks.json. In an agent setting, this can normalize unsupervised state changes and recurring actions, increasing the chance of unintended file modifications, misleading progress reporting, or silent operational drift.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation description is broad enough to match ordinary discussions about goals, projects, planning, or autonomous work, which can cause the skill to engage without clear user intent. In this skill, accidental activation is more dangerous because activation leads to persistent task creation, file writes, and potentially autonomous follow-up behavior.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The instruction to act whenever a human 'mentions a goal or project' is ambiguous and encourages the agent to infer consent from casual conversation. Because this skill is designed to create records, track work, and operate proactively during heartbeats, that ambiguity can result in unauthorized state changes and unsolicited autonomous actions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The package description advertises broad autonomous capabilities like proactive work, self-healing, and production readiness without defining limits, approval boundaries, or safe activation conditions. In an agent skill, this ambiguity can cause overbroad invocation and unsafe autonomous behavior, especially when the skill is intended to act during heartbeats and make progress without explicit prompts.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
update_session_state rewrites SESSION-STATE.md at a workspace-level path every time certain commands run, with no warning or consent. Because this file sits outside the task data store and may be consumed by other agent components, the operation can overwrite unrelated content and inject task-derived text into trusted working memory, increasing prompt/state poisoning risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The health-check command automatically applies write-side repairs while presenting itself as a check operation. This can surprise operators, erase forensic evidence of bad state, and alter autonomous planning inputs without an explicit acknowledgement that data will be modified.

Session Persistence

Medium
Category
Rogue Agent
Content
**Quick setup:** See [HEARTBEAT-CONFIG.md](HEARTBEAT-CONFIG.md) for complete setup instructions and patterns.

**TL;DR:**
1. Create a cron job that sends you a heartbeat message every 30 minutes
2. Add proactive-tasks checks to your `HEARTBEAT.md`
3. You'll automatically check for tasks and work on them without waiting for prompts
Confidence
93% confidence
Finding
Create a cron job that

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal