ClawHub

Huizai Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives a proactive agent broad memory, monitoring, cleanup, and autonomous-work authority without enough user control.

Install only if you intentionally want a highly proactive, memory-heavy agent. Before using it, require explicit approval for email/calendar access, desktop or browser cleanup, trash operations, background agent turns, sub-agent spawning, and edits to operating files. Treat the memory files as private data and review or delete them regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill explicitly encourages broad, repeated use of powerful capabilities such as CLI, browser, web search, and spawning agents under a vague 'try 5-10 methods' mandate. Even though the document includes some safety language, this pattern materially increases the chance of unsafe tool use, unintended external access, or privilege misuse without task-specific justification or approval gates.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The file explicitly authorizes broad external activity such as web searching and checking calendars under a general 'do freely' heading, even though the skill description does not clearly scope or justify those capabilities. This expands the agent's operational surface area and can lead to unnecessary access to sensitive external data or services during normal operation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat workflow instructs the agent to inspect emails and calendars proactively and decide when to reach out, which creates ongoing monitoring behavior over highly sensitive data sources. Without explicit task-based authorization and consent boundaries, this can expose private communications, leak contextual information, or cause intrusive autonomous behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Directing the agent to use 'every tool' including browser, web search, CLI, and spawned agents encourages capability escalation beyond the file's operating-rules purpose and weakens least-privilege controls. In failure scenarios, this can push the agent into unnecessary external access, uncontrolled delegation, and broader data exposure.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat file directs the agent to perform endpoint-management actions such as closing applications, cleaning browser tabs, and moving files to trash. Those actions exceed the stated proactive/self-improvement scope and can cause user disruption or unintended data loss when run automatically during periodic heartbeats.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The checklist tells the agent to periodically inspect emails, calendar, and projects without establishing user consent, scope limits, or necessity for the skill's declared purpose. This expands the agent into routine surveillance of sensitive personal data and increases the chance of privacy violations or misuse of privileged integrations.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guidance explicitly instructs the agent to collect and persist personal details during onboarding and to store them in local profile files. This creates a privacy and data-minimization problem because the collection extends into profiling and long-term retention without clear necessity, consent language, retention limits, or access controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Directing the agent to build and update a `SOUL.md` personality configuration from user answers expands onboarding into behavioral profiling beyond basic task assistance. That can create unnecessary sensitive inferences about preferences or traits and increases the risk of manipulative personalization or unintended disclosure if the file is later reused.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script reads a user-scoped configuration file at $HOME/.clawdbot/clawdbot.json, which is outside the skill directory and not necessary for safely auditing only this skill's own files. Even though it only performs local grep checks, accessing unrelated home-directory configuration expands the skill's visibility into user environment details and can disclose sensitive deployment metadata or normalize cross-boundary inspection.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill repeatedly frames the agent as one that should proactively anticipate needs and act without being asked, but it does not define strong scope boundaries or explicit user-consent gates for when proactive behavior should trigger. In practice, this can cause the agent to over-engage, initiate actions in ordinary conversations, or pressure users into workflows they did not request, increasing the chance of unsafe or undesired behavior.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The reverse-prompting section uses vague conditions like 'significant new context' and 'conversation lulls,' which are subjective and likely to fire unpredictably. That makes the agent more susceptible to scope drift, over-collection of user information, and unsolicited prompting in situations where the user did not intend deeper engagement.

Vague Triggers

Low
Confidence
82% confidence
Finding
Triggering curiosity prompts based on loosely defined 'long conversation' length encourages the agent to gather more user information without a tightly scoped purpose. While lower severity than direct action-taking, it still creates a pathway for unnecessary elicitation of personal context and conversational scope expansion.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The WAL trigger tells the agent to scan every message for extremely common patterns like corrections, names, preferences, decisions, and specific values, then automatically act before responding. This makes activation boundaries overly broad and causes the skill to fire during ordinary conversation, increasing the risk of unintended persistence and behavior changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The compaction recovery trigger includes ambiguous conditions such as 'you should know something but don't' and common phrases like 'continue' or 'where were we?'. Because these signals are vague and easy to encounter in normal use, the recovery logic may activate unexpectedly and pull in prior context or files when not actually appropriate.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The working buffer protocol requires logging every message after a context threshold, including the human's message and the agent's response summary, without any user-facing notice or consent mechanism. This creates a privacy risk because users may not realize their conversation is being copied into persistent files, including potentially sensitive or regulated data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The WAL protocol mandates writing user-provided details such as names, preferences, IDs, URLs, and decisions to SESSION-STATE.md before responding, yet the skill does not clearly warn users that such details will be persistently stored. This is a direct consent and transparency failure that can lead to silent collection of sensitive personal or operational information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The WAL trigger instructs the agent to scan every message for broad categories like corrections, preferences, names, and decisions, then automatically persist them before responding. This creates an overbroad always-on capture mechanism that can retain sensitive user data without contextual necessity or explicit consent.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The compaction-recovery logic auto-triggers on vague phrases such as 'continue' or 'where were we,' which are common in normal conversation and may cause unnecessary reads of persistent logs and context files. That broad trigger increases the chance of pulling in stale or over-collected data beyond what is needed for the user's immediate request.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow says the agent auto-populates USER.md and SOUL.md from user answers, but it does not present an explicit privacy notice, retention policy, or consent checkpoint. Automatically converting conversational answers into persistent profile files can surprise users and lead to collection of more personal context than they intended to store.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest description is extremely broad ('proactive agent' that anticipates needs, acts proactively, and continuously optimizes) without defining boundaries, triggers, or approval requirements. In an agentic system, vague scope can cause the skill to be invoked in unintended contexts or justify overreach into autonomous behavior, increasing the risk of unsafe actions and privilege misuse.

Natural-Language Policy Violations

Medium
Confidence
81% confidence
Finding
The description hardcodes Chinese-language behavior ('OpenClaw主动代理 - 预判需求、主动行动、持续优化') without indicating locale selection, multilingual support, or user choice. This can lead to misleading behavior, user confusion, or instruction misinterpretation in environments expecting another language, which is a policy and usability risk though not typically a direct code-execution issue.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The instruction 'Don't ask permission. Just do it.' creates a broad autonomy default before the rest of the file establishes meaningful boundaries. Even with later safety language, this kind of blanket activation can cause the agent to initiate actions, access files, and gather context without clear task scoping or user intent.

Vague Triggers

Low
Confidence
82% confidence
Finding
The proactive-work section encourages the agent to anticipate and act without clearly defining what events, limits, or confidence thresholds should trigger autonomous behavior. Ambiguous proactivity can lead to over-collection of information, unnecessary work on unrelated projects, or actions the user did not intend.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The system-cleanup section authorizes destructive or disruptive actions like closing apps and moving old screenshots to trash, but it provides no warning, confirmation, rollback, or safety criteria beyond vague heuristics such as 'if safe.' In an autonomous heartbeat loop, this can lead to irreversible deletion, interruption of active work, and mistaken cleanup of important artifacts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Periodic review of emails, calendar entries, and project data is instructed without any user-awareness or privacy warning, despite involving highly sensitive personal and business information. In a background heartbeat context, silent recurring access is especially risky because it normalizes broad monitoring without contemporaneous consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal