ClawHub

Smoking (Tracker, Logger, Quit, Reduce)

Security checks across malware telemetry and agentic risk

Overview

This is a local, instruction-only smoking tracker that discloses its sensitive local notes and requires user confirmation before writing them.

Install only if you are comfortable keeping smoking, nicotine-use, trigger, and plan notes on this device under ~/smoking/. Review each proposed file write before confirming, and delete or pause those local files if you no longer want that history retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template directs creation of persistent smoking-related logs under the user's home directory, which can expose sensitive health and behavioral data to other local users, backups, sync services, or forensic recovery if the user is unaware of the storage implications. In this skill context, the data includes addiction-related patterns, triggers, and lapse history, making the privacy risk more significant than ordinary notes because it concerns stigmatized and health-adjacent personal information.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill asks to activate on broad mentions of smoking, nicotine, vaping, cravings, or quit attempts, which can cause unsolicited intervention in conversations where the user did not actually request this behavior. In a sensitive health-related context, overbroad activation can create privacy and autonomy issues, especially if the agent begins tracking or steering behavior based on incidental mentions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to store behavior and health-adjacent habit data, including trigger patterns and trends, but does not tell the user that such retention will occur or how it affects privacy. Because smoking and nicotine-use data can be sensitive, undisclosed retention increases the risk of collecting personal behavioral profiles without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal