Back to skill

Security audit

Glancely

Security checks across malware telemetry and agentic risk

Overview

Glancely is a capability-heavy but coherent personal tracker skill; its local storage, cron, OAuth, and dashboard behaviors match its stated purpose and are mostly disclosed.

Install only if you are comfortable with a tracker that stores personal data locally, can create scheduled OpenClaw prompts, and can use Google Calendar OAuth for diary logging. Review generated components before using them, avoid untrusted files under ~/.glancely/components, and be careful logging sensitive mood or diary details.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not component.stats_script.is_file():
        return {"status": "error", "summary": {"error": "missing scripts/stats.py"}, "rows": []}
    try:
        out = subprocess.check_output(
            [sys.executable, str(component.stats_script)],
            cwd=REPO_ROOT,
            env={**os.environ, "PYTHONPATH": str(REPO_ROOT)},
Confidence
95% confidence
Finding
out = subprocess.check_output( [sys.executable, str(component.stats_script)], cwd=REPO_ROOT, env={**os.environ, "PYTHONPATH": str(REPO_ROOT)}, t

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions, yet its documented behavior includes shell execution, filesystem access, environment-variable use, package installation, and likely network activity via pip and related flows. This creates a capability transparency problem: users and the platform cannot accurately assess what the skill may do before invocation, increasing the chance of unsafe execution and privilege overreach.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The described purpose is a personal tracker scaffold, but the documented/observed behavior extends into OAuth, external API access, browser launching, cron/session registration, and inspection of sensitive local files. That mismatch is dangerous because users may authorize a seemingly simple productivity skill without realizing it can access credentials, modify scheduling state, or interact with external services.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
This skill is presented as a personal tracker, but the module directly writes scheduled jobs into another system's cron registry and causes arbitrary systemEvent text to be delivered to a configured agent session. That is a capability expansion beyond ordinary tracker data handling and can be abused for persistent prompt injection, automated unsolicited actions, or hidden task scheduling under the user's identity.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code loads external routing configuration including agent_id, session_target, and especially session_key, then uses those values to direct scheduled prompts into an agent session. For a 'personal tracker' skill, handling session-routing secrets is more sensitive than expected and increases the chance of unauthorized message delivery, secret exposure, or misuse of an existing authenticated session.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The migration runner loads and executes any `.sql` file from both built-in skill directories and a user-controlled component directory under `GLANCE_HOME/components` using `executescript()`. That means any actor who can place or modify component files can run arbitrary SQL against the application's SQLite database, which is broader than expected for a personal tracker skill and can be abused to alter, destroy, or exfiltrate application data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This module performs live Google Calendar reads and writes, which is an external-account capability materially broader than the stated skill description of local tracker scaffolding, dashboarding, and cron. Even if intended for a diary logger example, it enables modification and enumeration of a user's calendar data, creating privacy and integrity risk if invoked unexpectedly or with overly broad OAuth scopes.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The README describes the skill in very broad, natural-language terms ('any personal tracker you can describe') without clear boundaries for when it should activate. In agent environments, this can cause overbroad triggering from ordinary planning or journaling requests, leading the skill to scaffold trackers, reminders, cron jobs, or dashboards when the user did not explicitly intend to invoke it.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction 'Tell your agent what you want to track' is an especially vague activation cue that encourages the agent to infer invocation from normal conversation. Because this skill can create persistent artifacts like migrations, cron schedules, reminders, and dashboards, accidental activation could result in unintended state changes and automation on the user's system.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase "remind me" is common in normal conversation and can easily match requests that were not meant to invoke this skill. In a skill that can scaffold components, read/write local state, and potentially set up cron-like reminders, accidental invocation can lead to unintended actions or persistent changes.

Vague Triggers

High
Confidence
95% confidence
Finding
The phrase "track my" is extremely broad and likely to match many unrelated user intents, causing this skill to intercept requests outside its intended scope. Because the routed action can read local component definitions and initiate scaffolding flows that modify files and dashboard state, mistaken activation has a higher chance of causing unwanted persistent side effects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The plan instructs the operator to run `rm -rf ~/.glancely` as part of a smoke test without warning, backup guidance, or confirmation. Even though the target is scoped to an application directory rather than all of `$HOME`, it can still destroy user data, local configuration, logs, or components in a default location and is unsafe in agent-executed workflows.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly sends user-provided activity titles and time ranges to Google Calendar and stores an OAuth token locally, but the description does not clearly warn users about this external transmission and local credential persistence. That omission can lead users to disclose sensitive personal routines or work information without informed consent, which is a real privacy and security issue in a personal tracking skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists the user's full `--raw` reply directly into the `raw_text` column, and may also copy it into `note` by default. For a mood-tracking skill, free-form replies can easily contain sensitive personal data, health information, relationship details, or other private context, so storing the full response without minimization or explicit disclosure creates a real privacy risk if the database is later accessed, shared, or retained longer than expected.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt explicitly tells the agent to take the user's full mood response and persist it via a logging script, but it does not instruct the agent to disclose that the reply will be recorded or obtain consent. Because mood responses can contain sensitive mental-health, medical, or other personal information, verbatim collection without notice creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The setup flow instructs the agent to install software and initialize state under ~/.glancely, including writing configuration, without an explicit warning or consent gate for modifying the local filesystem. In an agent context, silent persistence and config writes can surprise users and create unwanted local state, especially when coupled with package installation and future cron-related setup.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction forwards the user's entire reply verbatim into a logging command, which increases exposure of sensitive free-form text and can capture far more personal data than needed for a mood tracker. In the context of a personal tracking skill, this is more dangerous because users are likely to share intimate emotional details, making overcollection especially risky even if the feature is intended functionality.

Session Persistence

Medium
Category
Rogue Agent
Content
1. Check if the user already has a matching component in `~/.glancely/components/`
2. If yes: read its SKILL.md for field docs, then call its scripts/log.py
3. If no: read the matching example in `examples/` for reference, then use the scaffold flow to create it first
4. Report the result

## Setup
Confidence
72% confidence
Finding
create it first 4. Report the result ## Setup If `glancely` CLI is missing or `~/.glancely/` does not exist: 1. Install the package: `pip3 install glancely` (or `pip install glancely` if pip3 isn't

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.