ClawHub

Daily Gift

Security checks across malware telemetry and agentic risk

Overview

The skill’s gift automation is mostly coherent, but it asks for unusually broad silent access to personal memory, scheduled execution, credentials, scripts, and external services without enough visible user control.

Install only if you are comfortable with a scheduled agent that reads conversation context and local memory, stores a long-term personal taste/profile record, checks configured API credentials, runs local shell scripts, and may use third-party services for rendering or hosting. Review and periodically delete `workspace/daily-gift/` data, avoid storing raw API keys in setup state when environment variables work, and disable the cron if you do not want autonomous daily runs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (43)

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The scheduled systemEvent payload instructs the agent to create or update memory files, modify setup-state, and spawn a sub-agent with a long timeout, but the file provides no bounded purpose, authorization check, or scope restriction for those actions. In a scheduled context, this is dangerous because it enables autonomous state mutation and secondary execution without explicit user approval, increasing the risk of unintended persistence, data tampering, or resource abuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The workflow explicitly instructs execution of a shell script for bookkeeping without any trust boundary, argument validation, or user consent model. Even if intended for routine maintenance, command execution from an agent skill increases the attack surface because modified paths, crafted metadata, or compromised scripts could lead to unauthorized code execution or filesystem changes.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document presents a reassuring privacy claim while specifying durable storage of detailed identity, taste, relationship, and inferred emotional data. Even if data remains local, long-term profiling of sensitive personal information creates privacy and misuse risk, and the statement may understate that risk to users.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The spec says Layer 1 should only reflect explicitly shared information, but also says the aesthetic profile is populated gradually from conversations, shared content, and gift feedback. That contradiction can cause agents to infer and store stable identity-like preferences without clear user authorization, increasing profiling and privacy risk.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The guidance to infer emotional patterns and connection style over time conflicts with the instruction to ask when unsure. This can normalize unverified psychological profiling and storage of sensitive behavioral inferences, which may be wrong and still influence future interactions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly instructs the agent to perform maintenance tasks silently and to rewrite the task queue after completion, which enables file and state changes without user awareness or approval. In an agent setting, undisclosed persistence or modification of local state can be abused to alter behavior, hide actions, or erase evidence of prior queued work.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the agent to silently test configured API endpoints and suppress any user notification about retry attempts. Silent outbound network activity is risky because it can be repurposed for unauthorized connectivity checks, data exfiltration paths, SSRF-like probing of attacker-supplied endpoints, or covert recovery logic the user cannot observe.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README explicitly describes storing lightweight recent context and more stable long-term taste/identity memory, but does not pair that behavior with clear privacy disclosures, retention limits, user consent language, or deletion/export guidance. In a skill centered on emotional interpretation, these files can accumulate sensitive behavioral and psychological inferences, increasing privacy and misuse risk if exposed, synced, or reused unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to persist setup state, gift history, taste profiles, user context, and relationship signals over time, but the visible skill contract does not require a clear user-facing notice, retention policy, or consent flow for that ongoing storage. Because the data includes behavioral patterns, preferences, images, and relationship-oriented memory, this creates a real privacy risk through overcollection and silent long-term profiling.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill defines a cron-triggered daily-run that can autonomously decide whether to send a gift, with instructions to suppress progress output and only show the final gift or a skip message. Autonomous outbound behavior without a prominent opt-in, schedule confirmation, and easy disable path can surprise users and erode trust, especially because it acts in the main session with access to contextual memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The seed explicitly suggests building a weekend plan using the user's location, interests, and energy level, but provides no requirement for explicit consent, minimization, or transparency. In a creative-skill context, location use is not inherently necessary and could normalize collecting sensitive data without adequate user awareness or controls.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill proposes mining recent chat patterns to generate playful insights, which involves analyzing user communications for behavioral summaries without any stated consent, boundary, or sensitivity limits. This creates privacy risk because the model may infer personal traits or habits from conversation history and present them back in ways the user did not expect.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The cron-delivered text broadly directs use of the daily_gift skill in 'daily-run mode' without specifying preconditions, exclusions, recipient constraints, or safety boundaries. That ambiguity is risky in a scheduled trigger because it can cause the skill to run automatically in contexts the user did not intend, especially when combined with instructions to read memory, edit state, and spawn additional execution.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The payload explicitly instructs the agent to create a missing memory file and update setup-state, yet the only user-visible behavior is a final gift or brief skip message. This lack of disclosure is dangerous because it hides persistent data modification from the user, undermining informed consent and making it harder to detect unwanted state changes or retention of personal information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill directs the agent to silently create memory files derived from conversation context and continue operating without notifying the user. Hidden persistence of user-derived data is risky because it bypasses informed consent and can store sensitive contextual information for future reuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The workflow instructs automatic updates to setup state and skip records without any user-facing disclosure. Silent modification of persistent state can alter future agent behavior in ways the user cannot see or control, creating both privacy and integrity risks.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill describes spawning sub-agents and resolving remote assets while keeping cron runs silent. This is dangerous because it expands execution and data-sharing boundaries without transparency, potentially sending contextual or file-based information to additional components or external services.

Missing User Warnings

High
Confidence
94% confidence
Finding
This section combines script execution with multiple silent writes to state, history, memory, and task queues immediately after delivery. The combination of hidden execution and broad persistent modification creates a significant integrity and privacy risk, especially in an autonomous cron context where users are not present to notice or intervene.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The onboarding flow asks for a selfie early in setup without providing just-in-time notice about storage, processing, optionality beyond skipping, or possible later transformation/use. Collecting sensitive biometric-adjacent user content without clear disclosure increases the chance of uninformed consent, privacy complaints, and unsafe downstream handling by the agent or integrated services.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The reference card explicitly encourages use of chat history and memory-based retrospectives, which can involve sensitive personal, relational, or emotional data, but it provides no privacy guardrails, consent checks, minimization guidance, or warning about handling sensitive content. In context, this is not direct exfiltration or overtly malicious behavior, but it normalizes processing personal history in a gift-oriented format, which increases the risk of over-collection, oversharing, or generating outputs that expose private details without adequate user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to silently run `chmod +x {baseDir}/scripts/*.sh` authorizes file-permission changes without user awareness or confirmation. Silent permission modification can expand the set of executable code in the environment and increase the chance that unreviewed or tampered scripts are later run with user trust.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Silently probing for API keys and runtime defaults means the skill inspects sensitive local configuration without informing the user. Even if only presence is checked, credential discovery is sensitive behavior and can normalize unauthorized access to environment secrets.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup flow instructs saving a user selfie to a local workspace path and persisting portrait metadata, but provides no explicit retention, access, or deletion notice. Photos are sensitive personal data, and undisclosed storage increases privacy risk if the workspace is shared, backed up, or later reused by other tools.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The skill instructs the agent to fetch missing asset bundles via an external script, but it does not require any disclosure, consent, or policy check before initiating network access. In an agent environment, this can cause unexpected outbound requests, metadata leakage, or retrieval of untrusted content without the user's awareness, even if the content is only examples or templates.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The background-removal guidance tells the agent to use an API key and external service for image processing, but it does not warn that generated or user-derived images may leave the local environment. In this skill's context, portrait and selfie-related assets are explicitly in scope, so silent external processing can expose sensitive visual data and associated credentials to third-party services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal