ClawHub

Cat

Security checks across malware telemetry and agentic risk

Overview

This cat-care skill stores local pet records only with user approval and does not show hidden network, credential, or destructive behavior.

Install only if you are comfortable keeping cat-care records under ~/cat/. Choose explicit-only or ask-first activation if you do not want ordinary cat conversation to trigger the skill, and avoid storing unnecessary microchip, insurance, sitter, vet, or owner-contact details unless you need them for care coordination.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The file instructs storage of durable cat and household information including health history, insurance, sitter contacts, and documents, but does not include any privacy notice, data minimization guidance, retention limits, or warning about handling sensitive personal information. In this context, the skill is explicitly designed to accumulate long-lived records, which increases the chance of unnecessary collection, over-retention, or exposure of household and veterinary-related data.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The setup instructs the agent to offer activation 'whenever they mention a cat, kitten, foster, or cat-care task,' which is broad enough to trigger on ordinary conversation rather than clear user intent. This can cause unintended skill activation, unnecessary context switching, and accidental collection or storage of pet-related personal information under the skill's workflow.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal