ClawHub

Pets

Security checks across malware telemetry and agentic risk

Overview

This is a coherent pet-tracking skill that stores local pet records and photos, with a reminder note that needs user care but no hidden code or deceptive behavior.

Install this only if you want a local pet journal that remembers pet-related details in ~/pets/. Avoid storing sensitive contact, address, medical, or travel details unless necessary, and require explicit confirmation before creating cron reminders so you know what was scheduled and how to remove it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to 'always log' pet-related information and to convert even casual mentions into stored records. That creates a real risk of unintended invocation and persistence when users are merely chatting, because sensitive behavioral or household details may be written to disk without a clear, explicit save request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persistently stores user-provided pet information in local files but does not tell the user that their messages will be saved. This is dangerous because users may disclose private household routines, incidents, or health-adjacent details under the assumption they are part of an ephemeral conversation, leading to silent retention of personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs persistent storage of user-shared pet photos and generated images under a local home-directory path without disclosing retention, access scope, or any consent/cleanup controls. Because pet photos, filenames, and related project artifacts can contain personal or sensitive information, this creates a privacy and data-handling risk through unintended long-term local retention and possible exposure to other local processes or users.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The phrasing guidance for report requests remains broad and conversational, which can overlap with normal user speech and make the skill easier to invoke unintentionally. While this file only documents reporting behavior and does not contain direct code execution or privileged actions, unintended invocation could still expose pet-related summaries or trigger confusing responses in the wrong context.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The example triggers like "How's Luna doing?" and similar natural-language phrases are highly conversational and indistinguishable from ordinary chat, increasing the chance of accidental activation. In this pet-reporting context the impact is limited to unintended access to routine summaries, behavior logs, or household observations, but it still creates a real boundary/intent-recognition weakness.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to persist all user-shared pet information, including casual remarks, creates an overbroad data retention policy in natural language. In context, pet logs can easily capture sensitive inferences about the user's home life, schedule, travel, medication routines, or emotionally significant events, increasing privacy and profiling risk over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal