ClawHub

C Task Cleanup

Security checks across malware telemetry and agentic risk

Overview

This skill is a local task-cleanup script that matches its stated purpose, though users should understand it overwrites completed task records and copies selected task text into memory and logs.

Before installing or scheduling it, confirm the hardcoded paths match your setup and test it on a copy of the task file. Keep backups if completed task history matters, because the script has no built-in undo or dry-run mode and may retain selected task content in local memory and report files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly describes clearing completed task records and writing derived content into MEMORY.md, but it does not warn the user that running it will modify and delete local data. In an agent-skill context, silent destructive behavior is risky because users may trigger the skill expecting analysis or maintenance and instead lose task history or have sensitive content persisted elsewhere.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persists task-derived content into a long-lived memory file without explicit user consent, notice, filtering, or sensitivity checks. Completed tasks may contain personal, confidential, or operationally sensitive information, and silently copying them into another store expands retention and exposure beyond the apparent cleanup function.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill destructively overwrites the task pool file to clear completed tasks without confirmation, backup, dry-run mode, or rollback protection. If parsing is wrong, the file format changes, or the tool is triggered unexpectedly, users can lose records they expected to keep, making this a data integrity and availability risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal