Dream Tracker

Security checks across malware telemetry and agentic risk

Overview

This appears to be a simple dream-journal skill, with one minor caveat: it declares an unexplained curl dependency but contains no code or instructions that use it for hidden network activity.

Before installing, check whether the clawhub CLI stores dream entries locally or sends them to a service for AI analysis or export. The skill itself does not show hidden behavior, credential access, destructive actions, or persistence, but the unexplained curl dependency is a reasonable thing for the publisher to clarify.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The skill declares a dependency on `curl`, which enables outbound network access despite the stated purpose being local dream recording, interpretation, and statistics. For a journaling-focused skill, this creates unnecessary capability to exfiltrate highly sensitive personal entries or fetch untrusted remote content, and there is no clear functional justification in the metadata.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal