ClawHub

Copilot

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it asks for broad proactive access and persistent memory without clear enough user consent and controls.

Install only if you want a proactive assistant that can remember work context locally and potentially inspect work tools. Before using it, set explicit boundaries: require opt-in before creating ~/copilot/ files, screenshots, Slack/email/calendar access, deployment monitoring, or production actions; avoid storing secrets or regulated data; and periodically review or delete the saved files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs persistent storage of ongoing user context, priorities, decisions, and project history in files under ~/copilot/ without any user-facing warning, consent flow, retention limits, or guidance on handling sensitive data. This can lead to unintended collection and long-term exposure of private information, especially on shared machines, synced home directories, backups, or environments with weak filesystem permissions.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The Development-context signals are broad enough that the skill could activate in many ordinary coding sessions without clear user intent, enabling unsolicited reads of IDE, terminal, git, or build state. In a copilot skill with persistence and proactive behavior, this increases the chance of over-collection of workspace context and actions being suggested or initiated from incidental signals rather than explicit scope.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The Knowledge Work context uses very broad signals like docs, email, calendar, and Slack mentions, which can expose highly sensitive business and personal information if the agent activates too freely. Because this skill is explicitly designed for cross-session persistence and proactive anticipation, ambiguous triggering here is more dangerous than usual: it may collect, retain, and surface stakeholder, meeting, and decision data without sufficiently clear boundaries or consent.

Vague Triggers

Low
Confidence
77% confidence
Finding
The Creative-context signals are ambiguous and may trigger on ordinary use of design or writing tools, causing the assistant to infer preferences, constraints, or asset history without a clearly bounded task. While typically less sensitive than email or terminal data, persistent storage of stylistic preferences, client constraints, and asset locations can still create privacy and confidentiality issues, especially in client-facing projects.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The example explicitly depicts the copilot taking a screenshot and inspecting code without any contemporaneous user consent, notice, or visible boundary on what can be captured. In a skill whose purpose is proactive, persistent assistance across sessions, this normalizes covert collection of potentially sensitive on-screen data such as secrets, customer information, or unrelated applications, increasing privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This example implies the copilot monitors Slack messages and tracks external service changes and the user's work state in the background, then surfaces that information without indicating prior authorization or notification. In the context of a persistence- and anticipation-focused copilot, this encourages silent surveillance of communications and activity, which can expose private messages, confidential project details, and workplace metadata.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill defines broad, automatic triggers for updating persistent state files based on conversational cues like project switches, new tasks, or 'significant progress' without requiring explicit confirmation. In a copilot skill with cross-session memory, this can cause unintended writes, incorrect persistence of sensitive context, or prompt-injection-induced state pollution that affects future sessions.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The implementation describes creating and updating files under ~/copilot/ based on normal interaction flow, but it does not explicitly warn the user that filesystem writes will occur. This weakens informed consent and can lead to silent persistence of sensitive project details, decisions, or personal workflow information on disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The heartbeat and cron features instruct the skill to read active context and check data sources like calendars and meeting context proactively, but they do not require explicit consent or warn that potentially sensitive personal or work data may be accessed on a schedule. Because this is an autonomous, recurring behavior, the privacy risk is higher than a one-off user-requested action.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template explicitly directs the agent to create persistent files under ~/copilot/ on the user's machine, but provides no consent flow, retention limits, sensitivity guidance, or warning that personal/work context will be stored locally across sessions. Because the stored content includes priorities, people, decisions, workflow habits, and project context, it can accumulate sensitive information and create privacy and confidentiality risk if written automatically or without clear user approval.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal