ClawHub

Personal Finish Notifier

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent completion notifier, but its installer persistently rewrites Claude hook settings and enables automatic future command execution without enough user control.

Review and back up ~/.claude/settings.json before running the installer, especially if you already use Claude hooks. Install only if you want persistent automatic completion notifications, set OPENCLAW_NOTIFY_TARGET carefully, use OPENCLAW_NOTIFY_SELF_TARGET for self-only delivery, and remove the hook/settings entries manually if you no longer want it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and instructs use of shell scripts that read from stdin, read a user-specific config file under ~/.claude, and install/update hook wiring, but it declares no permissions. This creates a permission-transparency gap: users and hosting platforms cannot accurately assess that the skill can read files, write configuration or hook state, and execute shell commands, increasing the risk of unintended system changes or misuse if the scripts are modified or invoked in sensitive environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer copies an executable hook into ~/.claude/hooks and makes it executable without any notice, confirmation, or diff for the user. Silent installation of agent-triggered hooks is risky because it establishes persistent code execution in future Claude workflows, which users may not realize they enabled.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script rewrites ~/.claude/settings.json to register Stop and TaskCompleted command hooks that execute a shell script on every matching event. This is dangerous because it creates persistent automatic command execution in the user's agent environment and may overwrite or replace existing settings entries without informed consent.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Creating a messaging-related environment file silently can establish notification behavior and future integration targets that the user did not knowingly approve. While the current file contains placeholders rather than credentials, it still sets up persistent messaging configuration in a hidden application directory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends a notification message to an external OpenClaw/WhatsApp target, which creates a data egress path outside the local agent environment. Even though the current message is hardcoded to a generic completion notice, the mechanism is capable of transmitting agent-derived content and there is no explicit user-facing consent or disclosure in the script itself, so misconfiguration or future changes could leak workflow metadata externally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal