ClawHub

Hope OpenTask

Security checks across malware telemetry and agentic risk

Overview

This skill matches its task-management purpose, but it exposes a reusable API key and documents live write operations that can change task state.

Install only if you control the OpenTask service and intend this agent to manage real tasks. Treat the included bot key as exposed, rotate it if it is real, replace it with an environment-provided secret, and require explicit user confirmation for create, start, complete, fail, retry, and cancel operations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill documentation directly embeds a live-looking API key and the authentication header needed to operate the task system. Anyone with access to the skill can use that credential to read tasks and perform state-changing actions such as create, start, complete, retry, fail, or cancel tasks, making this a clear secret exposure and privilege misuse risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The documentation exposes internal database host, port, schema, and table names that are not needed for normal skill usage. This infrastructure disclosure increases the attack surface by giving an attacker network and backend targeting information that can aid lateral movement, credential attacks, or direct database probing.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The documentation exposes a live hardcoded API authentication secret (`X-Bot-Key`) directly in the skill reference. Anyone with access to the skill files can use this credential to read and modify task state through the local service, including creating, completing, retrying, or cancelling tasks. The task-management context makes this more dangerous because the secret grants operational control, not just passive visibility.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill presents write-capable operations such as task creation and status changes as routine commands without warning that they mutate backend state and may trigger irreversible workflow effects. In an agent setting, this increases the chance of accidental execution, especially because the skill is designed for operational automation rather than read-only lookup.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The HEARTBEAT integration text explicitly suggests an automated check that can start executing tasks when any pending task is found, but it does not warn that this changes task state without user approval. In an autonomous agent context, this makes the skill more dangerous because routine health checks can become implicit write operations that trigger real workflows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The example workflows demonstrate end-to-end create, start, and complete actions while omitting that these calls persist changes and write audit logs to backend systems. This can mislead operators or downstream agents into treating examples as harmless demonstrations when they actually perform live operational changes.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The API reference documents state-changing operations such as create, start, complete, fail, retry, and cancel without any warning, confirmation requirement, or safety guidance about their side effects. In an agent skill context, this increases the chance that an agent or user will invoke destructive or irreversible task-state transitions unintentionally, especially when combined with the exposed API key.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal