ClawHub

Pulse TODO

Security checks across malware telemetry and agentic risk

Overview

Pulse TODO is an instruction-only task and reminder skill whose TODO and cron behavior is disclosed and aligned with its purpose.

Install this if you want your agent to maintain a persistent TODO.md and scheduled reminders. Before migration, back up existing TODO.md and HEARTBEAT.md, review any proposed cron changes, and confirm ambiguous reminders before letting the agent write tasks or create scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description includes very broad trigger phrases such as "remember," "schedule," "remind," and "what should I do," which are common in normal conversation and can cause the skill to activate when the user did not intend task-management behavior. In an agent setting, unintended invocation can lead to unwanted TODO creation, file modification, or cron/scheduling actions, increasing the chance of accidental state changes and automation side effects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The setup directs the operator to copy a template into a workspace TODO.md path and then modify HEARTBEAT.md, but it does not require backing up, diffing, or confirming before replacing task-management files. In a skill whose purpose is to drive future agent behavior, silent replacement or aggressive migration can cause loss of existing tasks, missed obligations, or unintended automated actions on later heartbeats.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal