ClawHub

Remindy

Security checks across malware telemetry and agentic risk

Overview

Remindy is a coherent reminder API, but it stores and changes personal reminder and push-notification data without documenting authentication, ownership checks, privacy handling, or deletion safeguards.

Before installing, confirm how the provider authenticates users, prevents one userId from accessing another user's reminders, protects push subscription secrets and email addresses, and handles deletion, retention, and consent. Use non-sensitive reminders until those controls are clear.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documentation explicitly describes collecting and transmitting notification contact data such as email addresses and push subscription details, but provides no privacy notice, retention guidance, consent expectations, or data-handling safeguards. In a reminder service, this omission increases the risk of misuse of personal data, non-compliant integrations, and users being unaware that their contact and device endpoint information is being sent to a third-party service.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The documentation exposes a destructive delete capability for reminders without warning about confirmation, authorization checks, or safeguards against accidental or malicious deletion. Because reminders may represent important operational or personal tasks, unclear deletion semantics can lead integrators to implement unsafe UX flows or call the endpoint without adequate user confirmation and ownership validation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API schema exposes state-changing operations for push subscription management, reminder listing, and reminder deletion using only user-supplied identifiers such as userId, with no documented authentication, authorization, or ownership checks. In this context, an attacker who can call the API may be able to enumerate another user's status, overwrite subscriptions, list reminders, or delete reminders by submitting a different userId, leading to account-level integrity and privacy compromise.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal