ClawHub

Kinema's Task Management (daily report, active push, traceback)

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local task manager that stores markdown task files and can set up daily task reports, with persistent automation users should understand.

Install only if you want OpenClaw to keep local markdown task history and run daily scheduled task automation. Confirm the report destination carefully, avoid putting secrets in task descriptions, and remove the kinema-tasks cron jobs if you no longer want daily reports or automatic archiving.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README advertises automatic persistence, snapshotting, archiving, and daily push/report behavior, but does not clearly warn that the skill will modify workspace files and may automatically retain or surface potentially sensitive task data. In a task-management skill that operates on user notes, this omission can lead to unintended data disclosure, unexpected state changes, and user confusion about what the agent is allowed to do.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manual-query trigger includes very broad natural-language phrases such as asking to 'look at tasks' or 'task list/report', which can overlap with ordinary conversation and cause the skill to activate unexpectedly. In a skill that scans and summarizes local task files and may prompt follow-on state changes, unintended activation can expose sensitive task metadata or cause confusing/autonomous behavior beyond the user's intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The top-level trigger definition is overly broad, matching generic mentions of '任务' or 'task' and common requests to create/update/check tasks, which increases the chance of accidental skill invocation during unrelated discussion. Because this skill writes and reads markdown files in a workspace and supports archive/update flows, unintended activation can lead to unnecessary file access, privacy leakage in reports, or mistaken task-management actions after ambiguous user input.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal