ClawHub

Proactive

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad proactive authority and persistent memory without enough consent, scoping, or safety controls.

Install only if you intentionally want a highly proactive, memory-retaining agent. Before using it, make memory logging opt-in, keep memory files private and out of shared repos, remove or gate BOOTSTRAP.md deletion and cleanup actions, disable autonomous crons/sub-agents unless explicitly configured, and grant email/calendar or credential-adjacent access only with narrow account and action limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (40)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat expands the agent's authority beyond a narrow proactive-assistant role into broad inspection and management of local logs, applications, browser tabs, desktop files, email, and calendar. In an autonomous or semi-autonomous agent, this creates unnecessary access to sensitive data and enables disruptive actions without clear per-action authorization or scope boundaries.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly tells the agent to 'use every tool' including CLI, browser, web search, and spawning agents, which materially expands operational scope beyond memory/proactivity guidance into broad autonomous action. In a skill meant to shape agent behavior, this can push an agent to invoke powerful capabilities without task-specific authorization boundaries, increasing the risk of unsafe execution, lateral tool use, or unintended external interaction.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill directs creation of a weekly cron-job reminder, introducing autonomous scheduled behavior that persists beyond the immediate session. Scheduled autonomous actions can create recurring data access, notifications, or behavioral drift without fresh user consent, especially when paired with proactive monitoring and memory systems.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The instruction to use CLI, browser, web search, and spawned agents broadly encourages expansive capability use without tying those actions to narrowly defined tasks or approval gates. In practice, that can lead an agent to access more systems and data than necessary, increasing the attack surface and the chance of unsafe side effects.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The autonomous cron and isolated sub-agent pattern authorizes background execution that can perform work without active user review, but the manifest does not clearly scope or constrain that authority. Unbounded autonomous execution is risky because it can repeatedly access context, mutate files, or perform unintended actions at scale once enabled.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The file claims the agent will 'always check before doing anything external,' but earlier guidance instructs it to automatically write user data to ONBOARDING.md, USER.md, and SOUL.md. That inconsistency can mislead users about when their data is being persisted, undermining meaningful consent and creating a privacy trust gap.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The instruction 'Don't ask permission. Just do it.' encourages autonomous action before obtaining user consent and can override safer interaction patterns during session startup. In a proactive agent skill, this increases the chance the agent performs unapproved reads or actions based on local files or inferred intent, especially when combined with broad guidance to explore and update memory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell the agent to research, attempt fixes, test changes, and update persistent files automatically when issues are found. That can lead to unreviewed modifications, configuration drift, or accidental breakage, especially because no requirement exists to notify the user or obtain approval before making impactful changes.

Missing User Warnings

High
Confidence
98% confidence
Finding
The cleanup section authorizes closing apps, closing browser tabs, bookmarking pages, moving screenshots to trash, and handling unexpected files without safeguards. These actions can cause data loss, interrupt active work, or delete important artifacts, particularly because 'safe' is underspecified and no user warning or confirmation is required.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The memory maintenance guidance directs the agent to persist distilled learnings, decisions, and open threads into memory files without addressing data minimization, retention limits, or privacy review. This can result in long-term storage of sensitive user information and broaden the blast radius of any later compromise or misuse of those files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The proactive work section encourages periodic checking of emails, calendars, and projects, all of which are privacy-sensitive sources, without clear permission boundaries or purpose limitation. In a background heartbeat, this normalizes silent access to personal and professional data and may expose or misuse confidential information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This memory template explicitly encourages storing highly sensitive personal information such as background details, preferences, and important dates, but provides no guidance on consent, minimization, retention, or protection. In a proactive agent skill, long-term memory is likely to be persisted and reused across sessions, which increases the risk of privacy harm, overcollection, and unintended exposure if the data is mishandled or later surfaced in prompts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template includes a section for storing information about other people and relationship context, which can lead to collecting third-party personal data without those individuals' knowledge or consent. In the context of a proactive assistant, this is especially risky because the system may operationalize and retain social or personal details about non-users over time, amplifying privacy and confidentiality concerns.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow asks for sensitive personal and contextual details, then states those answers will be copied into USER.md and SOUL.md, but it does not clearly warn the user up front that their responses will be persisted across files for future agent use. This creates a privacy and consent risk because users may disclose personal, workplace, or relationship information without understanding the retention and propagation behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill repeatedly frames the agent as one that should 'anticipate needs,' 'monitor what matters,' and act proactively, but it does not define clear activation boundaries, consent requirements, or task scoping. In an agent with tools or background jobs, this ambiguity can cause unsolicited actions, overreach, or increased susceptibility to prompt-manipulated task expansion.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description promises 'memory that sticks' and persistence of context, but there is no prominent user-facing disclosure about what kinds of data will be stored, for how long, or with what controls. This creates a privacy and compliance risk because users may reveal sensitive information without realizing it will be retained across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The onboarding section says the agent learns 'from natural conversation' and updates user-profile files opportunistically, but it does not clearly disclose to the user that conversational content may be recorded and persisted. That makes passive collection of personal data more dangerous because the collection is embedded in normal chat rather than explicit form entry.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The WAL trigger language is extremely broad, covering ordinary corrections, names, preferences, draft edits, and specific values, and mandates a write before responding whenever any trigger appears. This can cause constant invocation on routine conversation and normalize automatic persistence of large amounts of user content without meaningful relevance filtering.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The compaction recovery trigger includes vague phrases like 'continue' or 'where were we?' and even 'you should know something but don't,' which are common in normal dialogue and not reliable indicators of safe recovery behavior. This can lead to over-broad file reads and automatic retrieval of prior context when the user may only want a local conversational continuation, increasing unnecessary exposure of retained data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The quick start says the agent detects onboarding content and auto-populates USER.md and SOUL.md from answers, which means the skill is designed to modify workspace files automatically. Because this behavior is framed as normal setup rather than explicit consented file mutation, users may not understand that personal data will be written into persistent files.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Scanning every message for broad categories like corrections, names, preferences, decisions, and specific values creates an always-on trigger that will fire on ordinary conversation. That increases the likelihood of over-collection and unintended persistence of sensitive personal or operational details that were never meant to be stored.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Automatically populating USER.md and SOUL.md from answers creates persistent profiling of the user and agent behavior without an explicit privacy notice, retention policy, or consent checkpoint. This is dangerous because onboarding answers often contain preferences, goals, and sensitive personal context that may later be exposed to other tools, prompts, or collaborators.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The agent is instructed to save answers and update profile files after each response, but the user-facing script does not clearly warn that personal information will be stored locally and retained across sessions. This creates undisclosed collection and retention of personal data, which is a real privacy and consent issue.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The opportunistic learning section tells the agent to infer personal attributes from ordinary conversation and store them, including timezone, communication preferences, relationships, and project details. Because this happens outside explicit onboarding and without clear warning, it enables covert profiling from casual remarks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script appends raw human input directly into project files without any notice, consent flow, or filtering. In an agent skill context, this creates an unexpected persistence channel for potentially sensitive user data and can also allow user-controlled content to influence later agent behavior if those files are consumed as memory or state.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal