Back to skill

Security audit

Task Status

Security checks across malware telemetry and agentic risk

Overview

This status notifier is mostly coherent, but it can send task messages to Telegram using a hard-coded default recipient and keeps local state/logs without clear upfront disclosure.

Install only if you intend status text to be sent through Clawdbot to Telegram. Set TELEGRAM_TARGET explicitly before use, confirm CLAWDBOT_GATEWAY_TOKEN is appropriate, avoid secrets or sensitive filenames in status messages, and clean up monitors, state files, and JSONL logs after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documentation and examples indicate shell execution, file access, environment use, and persistent state, but no permissions are declared. This creates a transparency and policy-bypass risk because users or orchestrators cannot accurately assess or constrain the skill's capabilities before use.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The stated purpose is simple chat status reporting, but the analyzed behavior includes undisclosed external messaging, environment-configured targets, persistent JSON state, and local logging. That mismatch is dangerous because it can cause sensitive task metadata to be transmitted or stored outside the user's expectations, undermining informed consent and security review.

Context-Inappropriate Capability

Medium
Confidence
79% confidence
Finding
The skill executes an external CLI binary as a fallback, which increases the trusted computing base and can lead to abuse if the resolved executable is replaced, shadowed in PATH, or the hardcoded user-specific paths point to an untrusted binary. In an agent skill context, invoking external tools for routine status reporting is more dangerous because the skill may run in varied environments with weaker binary provenance controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as sending short status updates, but the script also persistently stores message contents and metadata to local JSONL logs. That expands the data handling surface and can leak sensitive task names, failure details, or operational context to disk without being obvious from the skill description.

Context-Inappropriate Capability

High
Confidence
87% confidence
Finding
The fallback to an external CLI introduces an undeclared execution dependency and another outbound transmission path. In a skill whose stated purpose is simple status reporting, this hidden behavior increases attack surface, trust assumptions, and the chance of sending data through an unintended tool or compromised local binary.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The README explicitly advertises background monitoring that runs independently and persistent state storage in `.task_status_state.json`, but it does not clearly warn users that the skill will continue operating after launch or that it creates and maintains local state files. In an agent/automation context, undocumented background activity and file creation can surprise users, complicate incident response, and leave lingering processes or artifacts that expose task names, statuses, or operational metadata.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation encourages frequent status updates and automated monitoring but does not warn that status text may contain secrets, filenames, API errors, or operational details that could be exposed in chat, logs, or external messaging channels. In the context of a status-reporting skill, this omission materially increases the chance of accidental data leakage during normal use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Status messages are written to disk with timestamps, task names, and statuses without any user-facing notice or consent mechanism. Even short status messages can contain sensitive business context, errors, or identifiers, and persistent local logs create a durable privacy and disclosure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script sends message content externally to Telegram via a gateway/CLI path, but the skill description does not clearly warn that task content leaves the local environment. This can expose operational details or sensitive text to third-party messaging infrastructure in ways users may not expect from a generic 'status' skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.