ClawHub

Proactive Agent Install

Security checks across malware telemetry and agentic risk

Overview

The skill is not overtly malicious, but it gives a proactive agent broad memory, monitoring, background-work, and local-cleanup authority without enough user control.

Install only if you explicitly want a highly proactive, memory-heavy agent. Before using it, disable or rewrite the email/calendar checks, heartbeat cleanup, autonomous agent turns, and scan-every-message logging unless you are comfortable with that level of access. Add explicit opt-in, review, and deletion rules for stored profile and conversation files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (39)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly encourages use of CLI, browser, web search, and spawning agents, which expands execution and delegation authority beyond a memory/proactivity skill's stated purpose. This increases attack surface and can cause the agent to take unsafe actions or access unneeded external systems without tightly scoped approval.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Telling the agent to spawn research agents and investigate external sources like GitHub issues broadens behavior outside the declared scope and can pull the agent into untrusted content flows. That creates additional prompt-injection, data-exposure, and autonomy risks not justified by the core function of this skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
These rules authorize the agent to monitor emails, calendars, logs, and other signals proactively, which expands behavior beyond simple internal workspace assistance. Even though there are some approval guardrails, this broad monitoring can lead to unnecessary access to sensitive data and unexpected user surveillance or outreach behavior.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The heartbeat section tells the agent to inspect emails and calendars and decide when to reach out, which grants access to sensitive external data and encourages semi-autonomous communication behavior. For a generic 'proactive agent' skill, this is broader than necessary and increases privacy and overreach risk.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Instructing the agent to use 'every tool' including browser, web search, and spawned agents encourages unrestricted capability expansion without task-scoped authorization. This can amplify prompt-injection exposure, data leakage paths, and unintended actions when the agent encounters blockers.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat directs the agent to close applications, manage browser tabs, and move files such as screenshots to trash, which expands behavior from a 'proactive partner' into device-management actions with destructive side effects. In a periodic, self-initiated context, these actions can cause data loss, disrupt user workflows, and exceed what a user would reasonably infer from the skill description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Periodic checks of emails, calendar, and projects introduce ongoing access to sensitive personal and business data without clear justification, consent flow, or scope limits tied to the declared skill purpose. This broadens the agent into a surveillance-like role and increases privacy risk if the checks are performed automatically during heartbeats.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The reverse-prompting trigger is intentionally broad and encourages the agent to initiate engagement whenever it 'feels routine' or after learning new context. In a proactive agent skill, that can lead to excessive unsolicited prompting and repeated elicitation of information, especially when combined with persistence and cron-based reminders elsewhere in the file.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The curiosity trigger uses vague language like 'long conversation' as the signal to ask personal gap-filling questions. That ambiguity can cause the agent to probe for user details too often or in contexts where the user did not expect profiling behavior.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The WAL trigger scans every message for very common conversational patterns such as corrections, preferences, names, and numbers, causing the behavior to activate extremely broadly. In practice this can lead to indiscriminate collection and persistence of user content, including sensitive information, on routine conversation turns.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The compaction recovery auto-triggers on vague phrases like 'continue' or 'where were we?', which are common in normal dialogue and may cause unnecessary recovery behavior. This can prompt needless rereading of stored conversation logs and increase privacy exposure and unintended context resurrection.

Missing User Warnings

High
Confidence
97% confidence
Finding
The Working Buffer protocol instructs the agent to persist every human message and response summary during context pressure, but it does not provide clear user notice, consent, retention limits, or sensitivity filtering. This creates a significant privacy and compliance risk because sensitive chat content may be stored automatically and retained beyond the user's expectations.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The WAL trigger tells the agent to scan every message for broad categories like corrections, preferences, names, and specific values, then persist them before responding. This creates over-collection pressure and can cause sensitive conversational content to be captured automatically without user intent or minimization.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The compaction recovery auto-trigger includes ordinary phrases such as 'continue' or 'where were we?' that are likely to appear in normal conversation. That can invoke recovery logic unexpectedly, causing unnecessary file reads and resurfacing prior context when the user may not want historical data pulled back in.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The onboarding flow says the agent auto-populates USER.md and SOUL.md from user answers, but it does not require informed consent, review, or a privacy warning. That encourages persistent profiling of personal preferences and identity-related information without clear user control.

Vague Triggers

Medium
Confidence
89% confidence
Finding
'Don't ask permission. Just do it.' is an overly broad autonomy directive that can override normal user-consent expectations and encourage the agent to take actions before confirming intent or scope. In combination with memory access and proactive workflows, it increases the chance of unauthorized reads, writes, or other unintended operations.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The instruction to 'poll this during heartbeats' is overly broad and provides no trigger conditions, frequency limits, approval boundaries, or task constraints. That ambiguity makes all later instructions eligible for recurring autonomous execution, magnifying the risk of privacy-invasive or destructive behaviors elsewhere in the file.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cleanup section authorizes potentially destructive actions like closing applications and moving screenshots to trash without warning, review, or confirmation. In a periodic background workflow, even 'safe' heuristics can misclassify important work as unused or old, causing avoidable disruption or data loss.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file encourages proactive review of emails, calendar, and projects without any privacy warning, data minimization guidance, or user authorization boundary. Because these are highly sensitive sources, silent recurring access can expose confidential information and create trust and compliance issues.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This template explicitly encourages storing sensitive personal information such as background details, preferences, important dates, relationship context, and project history in long-term memory without any privacy notice, minimization guidance, retention limits, or consent controls. In an agent skill focused on persistent memory and proactive behavior, this increases the chance of over-collection, unnecessary retention, and downstream exposure of personal data through prompts, logs, sync, or compromise.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow explicitly collects sensitive personal and contextual information such as identity, timezone, goals, work context, and key relationships, then states that this data will be copied into other files. There is no warning about persistence, retention, visibility, or consent for storage, which creates a privacy risk and can lead to over-collection and unintended long-term exposure of personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This template explicitly prompts collection of personal profile data, relationships, preferences, schedules, and life goals, but provides no guidance on minimization, consent, retention, access controls, or safe handling. In the context of a proactive agent designed to anticipate needs and continuously improve, this data can be aggregated into a sensitive behavioral profile that increases privacy and social-engineering risk if exposed or misused.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The flow explicitly tells the agent to save answers into persistent files like ONBOARDING.md and USER.md, but it does not require clear notice or consent before storing personal information. This creates a privacy risk because users may disclose identifying or preference data without understanding it will be retained across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The opportunistic learning section instructs the agent to infer and persist personal details from ordinary conversation, including timezone, communication preferences, relationships, and projects, without a clear disclosure step. Silent profiling increases privacy and trust risks because users may not realize casual statements are being transformed into durable memory.

Ssd 3

Medium
Confidence
94% confidence
Finding
The onboarding flow tells the agent to learn from ordinary conversation and auto-populate persistent profile files over time. This creates a standing mechanism for collecting and storing user information without strong minimization, consent granularity, or sensitivity boundaries.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal