ClawHub

Secretary

Security checks across malware telemetry and agentic risk

Overview

The skill advertises confirmation-only assistance but its files tell the agent to send messages, change calendars, book travel, and keep detailed personal memory without clear approval controls.

Review this skill carefully before installing. It should be treated as requiring rewrite or strict local controls so it only drafts, suggests, and stores explicitly approved preferences unless you personally confirm each email, calendar change, inbox mutation, booking, RSVP, and memory update.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill explicitly says it will accept, decline, and handle scheduling actions without asking the user, which directly contradicts the manifest requirement for explicit confirmation before actions. Because calendar changes and outbound messages can materially affect the user's commitments and reputation, this creates a real risk of unauthorized actions taken in the user's name.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
These conflict-handling instructions authorize the agent to reprioritize meetings, reschedule events, and send apology messages in the user's name without confirmation. In a secretary/calendar skill, this is especially dangerous because the agent has direct access to sensitive scheduling data and can alter real-world commitments and communications autonomously.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The post-meeting guidance implies the agent may automatically schedule follow-ups and send thank-you notes based on inferred commitments, without explicit approval. While narrower in scope than full calendar management, it still permits unauthorized outreach and calendar modifications that may misstate the user's intent or create obligations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The guide establishes a broad, persistent dossier about the boss and contacts, including relationships, work habits, travel preferences, and historical interactions, which goes beyond the stated skill scope. This expands data collection and retention without clear consent boundaries, increasing privacy, surveillance, and misuse risk if the memory is accessed, repurposed, or retained longer than necessary.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The instruction to act from context 'without being asked' conflicts directly with the manifest's promise of explicit confirmation before actions. In an assistant handling scheduling and communications, this can cause unauthorized preparation, messaging, scheduling, or other downstream actions that the user did not approve.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The operations text authorizes autonomous actions such as booking flights and hotels, rebooking travel, handling RSVPs, and sending overnight holding responses, which conflicts with the stated requirement for explicit confirmation before actions. In a secretary skill with access to calendars, communications, and vendor-facing workflows, this can lead to unauthorized external commitments, financial transactions, and messages being sent on the user's behalf without consent.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The documentation explicitly states the skill will send emails 'as you' and implies autonomous outbound communication, which contradicts the manifest requirement for explicit confirmation before actions. In a secretary/email-management context, this is dangerous because it can cause unauthorized external communications, reputational harm, and unintended commitments while impersonating the user.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Saying the skill will 'handle directly' routine requests indicates autonomous replying without user approval, which directly conflicts with the stated explicit-confirmation constraint. Because this skill operates over inbox content and external contacts, misclassification or incorrect replies could disclose information, create obligations, or damage trust.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The documentation claims the skill can archive email autonomously, which modifies inbox state without confirmation and conflicts with the manifest's safety boundary. While less severe than sending external messages, silent archiving can hide important messages, cause missed obligations, and reduce user visibility into actions taken on their account.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
Automatically sending holding responses is still an external action taken in the user's name, so it violates the explicit-confirmation requirement even if the content is generic. In this context, even a simple acknowledgment can reveal availability, confirm receipt, or create expectations with VIPs, clients, or internal stakeholders.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill language normalizes autonomous calendar actions and replying in the user's voice without clearly warning that it may modify calendar data or send communications on the user's behalf. This is unsafe because users may not understand that the skill is empowered to make consequential changes and external representations unless strong confirmation gates are enforced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The file directs persistent storage of sensitive personal and professional information such as contacts, routines, family-time boundaries, travel preferences, and behavioral tendencies, but provides no privacy safeguards. In a secretary-style skill, this creates a concentrated repository of sensitive data that could expose the user's private life and business relationships if mishandled.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The document describes persistent, always-on behavior ('the rhythm of how I work') without clear activation boundaries, which can cause the agent to over-collect data, act outside user intent, or assume continuous authority. In a skill handling scheduling and communications, vague operational triggers increase the risk of unauthorized monitoring and action creep.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes monitoring communications, calendar data, meeting notes, relationship information, and travel bookings without any user-facing privacy disclosure or warning about external actions. Because this role inherently touches sensitive personal and professional information, omission of access, retention, and action-consent boundaries materially raises the risk of privacy violations and unauthorized third-party interactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill describes triaging, archiving, and sending communications on the user's behalf without clearly warning that it will modify inbox state and may contact external parties. In an email-management skill, lack of transparent disclosure increases the chance users authorize or invoke actions without understanding the operational and privacy consequences.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The language 'I write AS you' and 'the recipient shouldn't be able to tell the difference' normalizes impersonation-like communication without a corresponding warning about accuracy, consent, and reputational risk. In this context, the skill is specifically designed to mimic the user's identity, so missing disclosure and safeguards make misuse and harmful mistakes more likely.

Ssd 3

Medium
Confidence
95% confidence
Finding
These instructions tell the agent to convert information learned from conversations, corrections, and repeated behavior into persistent memory files, including preferences and inferred patterns. This is dangerous because it normalizes long-term retention of personal and behavioral data without explicit consent, increasing privacy risk and enabling profiling beyond the immediate task.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal