ClawHub

Quick Reminder

Security checks across malware telemetry and agentic risk

Overview

Quick Reminder is a small, disclosed reminder skill that sends scheduled reminder text back through the same Telegram or console channel it was used in.

Install it only where automatic reminders in the current Telegram chat or console are acceptable. Avoid putting secrets or highly sensitive information in reminder text, and remember that reminders depend on the OpenClaw gateway process staying alive until the scheduled time.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README states that reminders may be delivered via Telegram or console, but it does not clearly warn users that the reminder text they provide may be transmitted through Telegram. This can expose sensitive reminder contents to third-party messaging infrastructure or unintended recipients if users assume the skill is purely local.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill advertises broad natural-language activation patterns such as reminder phrases in Spanish and English, which can cause unintended triggering when users mention such phrases conversationally rather than as a command. In a reminder skill, accidental activation can lead to unwanted scheduling and disclosure of reminder text through downstream channels like Telegram or other interfaces.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The description states that notices will be sent automatically to the channel where the message was received, including Telegram, console, and web, but it does not prominently warn users that reminder contents may be transmitted or displayed via those channels. If reminders contain sensitive information, this can result in unintended exposure to chat participants, shared terminals, logs, or external messaging platforms.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal