ClawHub

Proactivity (Proactive Agent)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed proactivity and local-memory skill, with no evidence of hidden code, credential use, exfiltration, or unauthorized external actions.

Install this only if you want the agent to keep persistent local operating notes in ~/proactivity/ and act more proactively across tasks. Review any proposed AGENTS, TOOLS, SOUL, or HEARTBEAT changes before approving them, define what actions are DO/SUGGEST/ASK/NEVER, and avoid storing secrets or sensitive personal data in the proactivity files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The activation criteria are broad enough to apply to many normal requests for help, which can cause the skill to engage by default and push more autonomous behavior than the user explicitly requested. In a skill designed to anticipate needs and keep acting, overbroad activation increases the chance of uninvited persistence, state creation, or proactive suggestions in contexts where the user expected a narrower assistant role.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The template instructs creation of persistent files under the user's home directory, which modifies local state and can store durable behavioral preferences without any explicit disclosure, consent step, or retention guidance. In a proactive agent skill, silent initialization of persistent memory increases the chance of unnoticed data accumulation and user-surprising behavior over time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The setup instructs creation of persistent files under ~/proactivity and encourages storing behavioral preferences, task state, blockers, and follow-up data, but it does not require a clear user-facing disclosure about local persistence or the sensitivity of that stored data. This creates a real privacy and consent risk because users may unknowingly allow durable storage of potentially sensitive workflow information on disk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger categories are intentionally broad and include common situations like stalled work, context drift, repetition, and promises made, but they do not define clear thresholds, scope limits, or consent boundaries for when proactive behavior should activate. In a proactivity skill, that ambiguity can cause over-triggering, unnecessary follow-ups, or action taken on weak signals, which may lead to user annoyance, privacy-invasive monitoring patterns, or autonomous behavior that exceeds user expectations.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal