ClawHub

limitless-lifelogs

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent, but it needs Review because it can access very sensitive lifelog transcripts and send transcript-derived quotes and metadata to webhooks or email despite also calling itself read-only.

Install only if you are comfortable giving the skill access to your Limitless transcripts. Before using dispatch, fix or verify the agents.json path, inspect every webhook or email recipient, and approve sends only after reviewing and redacting any quoted transcript content that would leave your system.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as a lifelog search/summarization tool, but later expands into dispatching extracted action items via webhooks or email. That turns a read/analyze capability over highly sensitive personal transcripts into a data-exfiltration and side-effecting automation path, increasing the chance that private speech is transmitted to third parties without sufficiently explicit, informed consent.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The file explicitly claims the skill is read-only, then later instructs the agent to send POST webhooks and potentially email extracted transcript content. This contradiction can mislead users and reviewers into granting trust or permissions under false assumptions, making unintended external disclosure more likely.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as limited to searching and summarizing Limitless lifelogs, but this file defines a general-purpose agent that can handle email, scheduling, research, and communication tasks. That mismatch expands capability beyond the declared scope and can route sensitive lifelog-derived data or user requests into unrelated actions, increasing the chance of over-collection, unauthorized task execution, or misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This configuration sends requests to an external webhook for a general-purpose agent without any justification tied to the skill’s stated lifelog-analysis purpose. Because lifelogs may contain highly sensitive personal data, forwarding agent invocations to an external endpoint creates a real risk of data exfiltration, uncontrolled downstream processing, and privacy violations.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The instruction to run action-item extraction automatically after a recap can cause sensitive transcript content to be analyzed for agent-directed tasks without a distinct user request. In a lifelog context, automatic extraction increases the chance of unintended task detection and subsequent disclosure or dispatch of private spoken content.

Missing User Warnings

High
Confidence
95% confidence
Finding
The webhook dispatch flow transmits task summaries, source quotes, log IDs, and timestamps derived from private lifelog transcripts to external endpoints, but the skill text does not require a strong warning about this disclosure. Because lifelogs may contain highly sensitive personal, professional, or bystander information, sending excerpts to arbitrary URLs is especially dangerous.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The email option can send transcript-derived task details through system mail without a prominent privacy warning or content preview. Email is an external transmission channel that may be insecure, persistent, and forwarded, so sending quoted speech from lifelogs creates material confidentiality risk.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The agent description and triggers are broad enough that users may invoke it for many tasks unrelated to lifelog analysis, and generic triggers like 'Obi' or 'Hey Obi' make activation boundaries unclear. In a skill handling intimate life-log data, ambiguous invocation scope increases the chance of accidental triggering, unintended data access, and confused-deputy behavior where sensitive context is used for unrelated actions.

External Transmission

Medium
Category
Data Exfiltration
Content
}
  ```
  ```bash
  curl -s -X POST -H "Content-Type: application/json" \
    -d '{"agent":"NAME","task":"TASK","source_quote":"QUOTE","log_id":"ID","timestamp":"TS"}' \
    "DISPATCH_URL"
  ```
Confidence
91% confidence
Finding
curl -s -X POST -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal