ClawHub

User Growth Coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent personal coaching skill, but it can collect and persist broad local conversation history for behavioral analysis without strong user controls.

Install only if you are comfortable with a persistent coaching memory that may use local OpenClaw session transcripts, daily summaries, review notes, commitments, and emotion signals. Before enabling Daily Digest or cron, review where files are stored, add your own source filters and retention/deletion process, and avoid using it around highly sensitive chats unless you are comfortable with that data being summarized and reused later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script persistently stores extracted user conversation content to markdown under a workspace memory directory, creating a lasting record of potentially sensitive messages. In the context of a coaching skill that processes personal reflections, this increases privacy risk because intimate or behavioral data may be retained longer and reused for later analysis without clear minimization or consent controls.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs an additional destructive state change by renaming the source markdown file to a backup after conversion. That behavior goes beyond a simple format export and can break workflows, surprise users, or cause data loss if downstream tools expect the original file to remain in place or if the rename fails mid-process.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill explicitly automates extraction of all daily interactions into a persistent daily digest outside the immediate capture/review workflow. This broad background collection materially expands data scope and creates privacy and context-leakage risk because unrelated conversations, projects, links, and emotional signals are later reused in analysis without clear per-use consent.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The documented cron jobs run automatically every day to extract data and send reminders, which means the skill performs background processing and nudging without an in-band confirmation at execution time. Even if intended as a coaching aid, unattended scheduled jobs increase surveillance and persistence risk beyond a simple on-demand skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly documents persistent storage of sensitive user reflections and daily interaction summaries, but provides no clear consent flow, retention policy, access boundaries, or privacy warning. Because the stored content can include emotional state, commitments, and behavioral patterns, this creates a real privacy and surveillance risk if users are unaware or if the files are exposed locally or through backups/sync.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description says it connects current input, historical reviews, and daily context to infer deep behavior patterns, but it does not warn users that broader conversational material may be reused for profiling-like analysis. That omission is dangerous because users may provide highly personal content expecting a single-session response, not cross-context correlation over time.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The reminder configuration recommends sending only a very short trigger word such as “复盘”, relying on the skill to auto-expand into a workflow. Because this phrase is common in ordinary Chinese conversation, the skill may activate unintentionally when a user or automation sends a normal message, causing unintended workflow execution or context processing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script writes a daily digest containing extracted user messages without any user-facing warning or consent prompt about persistent storage. Because the content comes from session transcripts and may include sensitive personal or behavioral information, silent persistence meaningfully raises privacy and surprise risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads user session transcripts, extracts message content, and emits the raw timeline to stdout for downstream LLM consumption without any consent check, minimization, or redaction. In this skill context, the data likely contains sensitive personal reflections and behavioral history, so verbatim export creates a clear privacy and data-exposure path if logs, pipes, or downstream processors are not tightly controlled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Renaming the source file without prior confirmation or a clearly disclosed flag is unsafe because it silently changes persistent user data. In a personal-memory skill context, that increases operational risk: users may lose expected access to their markdown journal, and any automation depending on the original filename can fail immediately after running the script.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Several trigger phrases such as '情绪', '目标', '回顾', '帮助', and '感觉' are common natural language terms that could appear in ordinary conversation and unintentionally activate storage, review, or modification flows. In this skill, accidental activation is more dangerous because triggers can write persistent memory or invoke destructive actions like deletion/modification of recent records.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill advertises deep cross-context analysis connecting current input, historical reviews, and daily conversation context, but it does not pair that scope with a prominent privacy warning, retention policy, or consent boundary. Because the feature is specifically designed to aggregate and infer behavior patterns across contexts, the missing disclosure materially raises the risk of over-collection and unexpected profiling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The '删除上条' trigger performs a destructive operation yet the specification contains no confirmation, undo, or safety check. Given the broad and informal trigger vocabulary, a casual phrase could permanently remove user data and undermine integrity of the stored review history.

Missing User Warnings

High
Confidence
99% confidence
Finding
The daily digest section describes automatic extraction and summarization of all daily interactions, including projects, links, commitments, and emotional tone, without an explicit warning that broad ongoing monitoring is occurring. This is dangerous because users may reasonably expect a coaching skill to process only intentional journal inputs, not passively compile unrelated conversations into persistent memory.

Ssd 3

Medium
Confidence
92% confidence
Finding
The README promotes aggregation and reuse of broad user interaction history and daily context for generating responses, which materially expands the data surface beyond the immediate user prompt. That increases the chance of unintended disclosure, overcollection, and sensitive inference, especially when the skill analyzes behavior patterns, emotions, and commitments across time.

Ssd 3

Medium
Confidence
91% confidence
Finding
Deep mode is documented to use all interaction context, including same-day conversation summaries, for feedback generation. This broad context ingestion can expose sensitive information from unrelated conversations and can cause the model to surface private details the user did not intend to include in the current recap.

Ssd 3

Medium
Confidence
90% confidence
Finding
The growth summary feature synthesizes cross-day context, commitments, and action patterns into output, effectively creating longitudinal behavioral profiling. Without strong consent and minimization, this can reveal sensitive trends or prior disclosures in later outputs, even when the current request is narrower.

Ssd 3

Medium
Confidence
89% confidence
Finding
The design language explicitly encourages correlating what the user did, searched, and discussed with recap content, which widens analysis from self-reported reflections to inferred behavioral surveillance. In this skill context, that makes the feature more sensitive because it deals with personal growth, emotions, habits, and perceived psychological mechanisms.

Ssd 3

Medium
Confidence
93% confidence
Finding
The script explicitly compiles a detailed 'complete timeline' of user messages and stores it for later LLM analysis, which amplifies privacy exposure beyond transient processing. In a user-growth/coaching context, the data may reveal emotions, decisions, routines, and personal history, making the retained digest particularly sensitive if accessed by other tools, users, or future prompts.

Ssd 3

Medium
Confidence
91% confidence
Finding
The script description explicitly states that it extracts raw user input from session transcripts and outputs plaintext for later LLM summarization, which establishes an intentional natural-language data exfiltration path. In a coaching skill that correlates current input, history, and daily context, the exposed content is especially likely to include intimate behavioral, emotional, and possibly identifying information.

Ssd 3

Medium
Confidence
96% confidence
Finding
This code accumulates all qualifying user messages for the target date and prints them verbatim in chronological order, materially increasing exposure of sensitive user content. Because stdout is commonly piped, logged, or captured by schedulers and orchestration tools, this design can leak private transcript data beyond its original storage boundary.

Ssd 3

High
Confidence
98% confidence
Finding
The core design explicitly links review content with broader daily conversation context and historical records, then surfaces inferred patterns later. That creates a natural-language data leakage channel across contexts: sensitive information shared for one purpose can be reintroduced in another context unexpectedly, exposing private details or enabling unwanted profiling.

Ssd 3

High
Confidence
99% confidence
Finding
The daily digest prompt instructs the system to read all user interactions and persist structured summaries of projects, links, pending tasks, and emotional state. This creates a direct cross-context leakage and profiling risk because broad personal and potentially sensitive details are extracted from unrelated interactions and made available for later retrieval and inference.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal