ClawHub

Family

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local family organizer, but users should be careful because it can store sensitive household, child, care, and medication logistics on the device.

Install only if you want an agent to maintain a local household planning folder. Before approving writes, consider whether this device is appropriate for family schedules, child or dependent-care details, medication logistics, contacts, incident notes, and document locations; keep stored details minimal and review or delete them when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction to create `~/family/` only after the user approves local continuity is too vague for a system that stores highly sensitive household, school, and health coordination data. Without a clear requirement for explicit, informed consent to local persistence, an agent could interpret casual agreement as authorization and retain private family information unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This template is designed to store sensitive family data locally, including children's details, contacts, medications, appointments, incidents, and escalation rules, but it does not present an explicit privacy warning or minimization guardrail before collection and persistence. In the family context, these data categories can expose minors, health information, routines, and emergency contacts, increasing the risk of privacy harm, stalking, coercion, or misuse if the device or files are accessed by others.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The setup instructs the skill to activate on very broad, common topics like home, meals, appointments, and caregiving before the user has clearly opted in. That creates a real risk of unintentional mode switching, unnecessary collection of family-context data, and blending private versus shared household information in conversations that may not have been meant for family coordination.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The workflow explicitly tells the agent to update household files such as planning, shopping, meal, and document records, but it does not require a user-facing confirmation or warning that persistent data will be modified. In a family coordination skill, these files may contain sensitive household logistics, so silent writes can create privacy, integrity, and surprise-action risks even if the operational intent is legitimate.

Missing User Warnings

Low
Confidence
94% confidence
Finding
The incident review workflow instructs the agent to log incidents in a persistent file and update upstream records without warning the user that a durable incident history will be created. Because incident logs can contain sensitive family mistakes, care issues, missed doses, or childcare failures, implicit record creation increases privacy and consent risks in this skill's household context.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal