ClawHub

Water Tracker

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it broadly and silently builds a persistent hydration and health-adjacent profile from casual context.

Install only if you are comfortable with the agent passively noticing hydration-related details in ordinary conversation and saving inferred habits locally. Review ~/water/memory.md periodically and delete entries you do not want retained; avoid using it around sensitive health discussions unless you are comfortable with those signals being remembered.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (7)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill’s stated purpose is casual water tracking, but the instructions broaden collection to 'ANY source' and include inferred behavioral and health-related data. That creates a scope mismatch where users may reasonably expect simple logging, while the skill silently aggregates richer personal data than disclosed.

Description-Behavior Mismatch

Low
Confidence
84% confidence
Finding
Logging soda, juice, and coffee expands the skill beyond water intake into broader beverage tracking, which is not clearly disclosed by the manifest. While this may be functionally related to hydration, it still creates a data collection mismatch that can surprise users and erode informed consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill monitors symptom-style signals like headache and fatigue and the schema later includes dark urine, all of which are health-adjacent data points. Collecting or inferring these signals for a simple hydration tool is sensitive and can expose users to privacy harms if retained or misused.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The memory schema stores source provenance, schedules, correlations, preferences, and flags, which together build a behavioral profile beyond narrow hydration logging. This increases privacy risk by accumulating sensitive inferences about routines, exercise, symptoms, and habits in persistent memory.

Vague Triggers

High
Confidence
97% confidence
Finding
The instruction to absorb hydration mentions from 'ANY source' creates an overly broad activation boundary, allowing incidental conversation to be treated as trackable input without a clear trigger. This makes covert collection likely, especially because ordinary chat, meal discussion, and exercise context can all be swept into persistent tracking.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill instructs persistent storage of hydration habits, routines, source data, and health-adjacent signals in a local memory file, yet there is no user-facing warning or consent flow describing retention. Persistent profiling without transparent notice materially increases privacy risk and can lead to long-term accumulation of sensitive behavioral data.

Ssd 3

Medium
Confidence
90% confidence
Finding
The combination of broad collection from all interactions and persistence across updates creates a durable data retention risk. Even if each individual datum seems minor, the accumulated record can reveal routines, health concerns, and lifestyle patterns over time.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal