Security audit

Qclaw Result Checker

Security checks across malware telemetry and agentic risk

Overview

The skill transparently checks local WorkBuddy task status and results, with a privacy caveat that broad result-related prompts could show prior queue data.

Install only if you trust the separate qclaw-workbuddy-bridge helper already present on your machine. Be aware that general questions like “are the results ready?” may display prior WorkBuddy task descriptions, full results, or attachment paths from the local queue.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger list includes broad conversational phrases such as '结果出来了吗' and '工作做完了吗', which can easily match ordinary dialogue and invoke the skill unintentionally. Accidental triggering can expose task metadata or results from WorkBuddy to the wrong conversational context, creating a privacy and data-leak risk rather than a direct code-execution issue.

VirusTotal

No VirusTotal findings

View on VirusTotal

Static analysis

No suspicious patterns detected.