Security audit

Adhd Assistant 1.0.0

Security checks across malware telemetry and agentic risk

Overview

This is a coherent ADHD productivity assistant, but users should know it may save sensitive ADHD-related preferences and health context in memory.

Install only if you are comfortable with the assistant using OpenClaw memory for ADHD-related routines, preferences, and health-adjacent context. Review memory settings, avoid saving diagnosis or treatment details unless you explicitly want that, and delete remembered items that feel too personal.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (3)

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation criteria are broad enough to match many ordinary productivity or overwhelm-related requests, which can cause the skill to activate outside clear ADHD-specific contexts. Because this skill also handles sensitive mental-health-adjacent content and memory usage, over-triggering increases the chance of collecting or acting on sensitive user information without sufficiently specific user intent.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases are common everyday statements like feeling overwhelmed or disorganized, so they are likely to collide with normal user speech. This creates inappropriate activation risk, and in this skill's context that matters because the assistant may shift into mental-health-framed guidance and potentially store sensitive ADHD-related preferences based on weak evidence.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill proposes storing sensitive mental-health-related data, including ADHD status, treatment context, emotional sensitivities, and behavioral patterns, but does not clearly warn the user or require informed consent. In a life-management skill, this creates a meaningful privacy risk because sensitive profile data could be retained, reused, or exposed beyond what the user reasonably expects from a planning interaction.

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal