ClawHub

Qclaw Workbuddy Bridge

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local task-queue bridge, but it gives broad background automation power to chat-triggered tasks without enough scoping or approval controls.

Install only if you intentionally want QClaw or WeChat requests to drive WorkBuddy automation. Before enabling it, restrict who can write to the queue file, use strict file permissions, avoid queuing secrets or sensitive business data, require confirmation for local-file or account-changing actions, and make sure the automation can be paused or disabled.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The QClaw prompt turns the bridge into a broad delegation channel for many complex tasks, including local file operations and multi-step work, rather than a narrowly scoped transport mechanism. Because tasks are forwarded based on natural-language heuristics, this can cause unintended remote execution of sensitive operations from ordinary user requests.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The WorkBuddy automation is instructed to '自主执行任务' using any needed tools or skills, which effectively grants open-ended execution authority to whatever content lands in the queue. In the context of an automated polling worker, this creates a powerful execution sink for unreviewed natural-language tasks and materially increases the chance of harmful file access, data disclosure, or unsafe actions.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger words and distribution framing are broad enough to overlap with common conversational requests, making accidental activation likely. In a bridge that writes tasks to a queue for downstream execution, overbroad triggers increase the risk that normal chat content becomes actionable automation input.

Vague Triggers

High
Confidence
95% confidence
Finding
The dispatch conditions include common phrases like '帮我生成/制作/分析/整理' and vague criteria such as '你做不到的事,' with no limiting conditions or safety gating. That makes ordinary user requests eligible for remote task execution, which is especially dangerous because the downstream worker is told to execute tasks autonomously.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill documents storing user tasks and results in a local queue and sending summaries back over WeChat, but it does not warn users that their content may be retained, processed automatically, and retransmitted. Without explicit disclosure and consent, sensitive user data may be handled in ways users do not expect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The automation directs the agent to execute tasks autonomously, write results to local storage, and potentially send outputs onward, yet the document omits explicit risk warnings about automatic file operations, tool use, and external result delivery. In an unattended polling loop, this missing disclosure increases the chance of unsafe or privacy-impacting behavior occurring without informed user consent.

Ssd 3

Medium
Confidence
91% confidence
Finding
The workflow routes task context and results through a shared queue and then pushes summaries back to users without any content restrictions or sensitivity filtering. This creates a natural path for secrets, personal data, file contents, or internal project details to be retained locally and then disclosed through messaging.

Ssd 3

Medium
Confidence
93% confidence
Finding
The schema and examples encourage storing original user intent, names, project identifiers, and file paths in queue records, which unnecessarily increases sensitive data retention and exposure. If the queue is accessed by other processes, backed up, or mishandled, this metadata can reveal personal, organizational, or filesystem information beyond what is needed to execute the task.

VirusTotal

No VirusTotal findings

View on VirusTotal