ClawHub

Daily Reflect

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed daily journaling prompt tool with optional user-enabled reminder scheduling, and no evidence of hidden data theft or unsafe automatic behavior was found.

Before installing, confirm you want daily reminder scheduling available for the listed chat platforms and that your OpenClaw host handles cron markers and channel authorization as expected. If you use strict agent routing, consider narrowing the trigger words to avoid accidental activation for generic journaling or writing-prompt requests.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest advertises journaling prompts, while the body documents commands for enabling, disabling, and configuring recurring pushes to external platforms. That inconsistency can mislead users and operators about what the skill actually does, making review, consent, and deployment decisions less informed.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
User-targeted scheduling and outbound delivery to Telegram, Feishu, Slack, or Discord go beyond what is necessary for a basic prompt generator. Without clear justification and controls, this creates unnecessary external messaging capability that could be abused for spam, unwanted contact, or privacy-invasive reminders.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list contains very broad everyday phrases such as 'journal', 'journaling', 'writing prompt', and common Chinese equivalents that are likely to appear in ordinary conversation unrelated to this skill. In an agent-routing context, this can cause accidental invocation or inappropriate skill selection, leading to prompt hijacking of benign user requests and degraded trust or privacy if reflective prompts are injected into unrelated chats.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal