ClawHub

TODO Web App

Security checks across malware telemetry and agentic risk

Overview

This is a real TODO web app, but it runs an unauthenticated LAN-accessible editor for local TODO files and encourages persistent auto-start, so it needs careful review before use.

Install only if you intentionally want an always-on TODO editor reachable from devices on a trusted private LAN. Avoid using it on shared networks unless you bind it to localhost or add authentication and origin checks; review TODO.md content sensitivity, keep backups before using Archive Done, and know how to unload/remove the LaunchAgent before enabling auto-start.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill exposes a LAN-accessible web service and uses network capabilities, but the skill metadata does not declare permissions or prominently warn about that exposure. This is risky because users and higher-level policy systems may not realize the app opens a reachable HTTP service that exposes and modifies TODO contents from other devices on the local network.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The server listens on 0.0.0.0 and exposes POST /toggle and POST /archive with no authentication, authorization, or origin checking. Any device on the LAN can modify TODO.md or trigger archival, so a nearby attacker or malicious webpage reachable from the user's browser could tamper with local task data beyond a passive viewer use case.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The /events SSE endpoint sets Access-Control-Allow-Origin: *, allowing any website to subscribe to change notifications. While it does not directly expose file contents, it leaks activity metadata and makes cross-origin interaction with the local service easier to coordinate.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes interactive checkbox toggling and archiving, but it does not clearly warn that actions immediately and persistently modify TODO.md and move completed items into TODO-done.md. This can lead to unintended data changes or loss of expected task history, especially when multiple LAN users can interact with the UI.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The skill exposes TODO contents to any device on the local network over plain HTTP, but the description does not clearly warn about the confidentiality and integrity risks of LAN exposure without HTTPS or authentication. On untrusted or shared networks, other users on the LAN may read sensitive task contents or modify them if the app accepts writes from any client.

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. Install the launchd agent

Copy `assets/com.todo.plist.template` to `~/Library/LaunchAgents/com.todo.plist`.

Edit the plist and update these two values:
- The path to `node` (run `which node` to find it)
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. Install the launchd agent

Copy `assets/com.todo.plist.template` to `~/Library/LaunchAgents/com.todo.plist`.

Edit the plist and update these two values:
- The path to `node` (run `which node` to find it)
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
Copy `assets/com.todo.plist.template` to `~/Library/LaunchAgents/com.todo.plist`.

Edit the plist and update these two values:
- The path to `node` (run `which node` to find it)
- The path to `server.js`
Confidence
91% confidence
Finding
plist

Session Persistence

Medium
Category
Rogue Agent
Content
Then load it:

```bash
launchctl load ~/Library/LaunchAgents/com.todo.plist
```

### 4. Open in browser
Confidence
93% confidence
Finding
launchctl load

Session Persistence

Medium
Category
Rogue Agent
Content
Then load it:

```bash
launchctl load ~/Library/LaunchAgents/com.todo.plist
```

### 4. Open in browser
Confidence
93% confidence
Finding
plist

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal