ClawHub

Smart Daily Assistant

Security checks across malware telemetry and agentic risk

Overview

This is a local personal-assistant skill that saves user-entered reminders, notes, contacts, expenses, and related data on the device, with no evidence of hidden network access or malicious behavior.

Install only if you are comfortable with personal assistant data being saved locally in ~/.openclaw/smart-daily-assistant/. Avoid storing highly sensitive notes, contact details, or financial information there, and review or delete that folder when you no longer want the retained data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

High
Confidence
93% confidence
Finding
The top-level description includes a very broad catch-all phrase ('any daily personal assistant task'), which can cause the skill to activate for a wide range of unrelated user requests. In a skill that reads and writes persistent personal data, overbroad activation increases the chance of unintended handling or storage of sensitive information the user did not mean to entrust to this skill.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger 'briefing' is ambiguous in ordinary conversation and may invoke the skill when the user means something else. Because the skill persists data and can influence planning output, accidental activation can lead to unwanted disclosure or processing of stored personal information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The standalone trigger 'schedule' is overly generic and likely to appear in normal conversation unrelated to this skill. That makes accidental task creation or reminder handling more likely, especially in a tool that auto-saves user input to local storage.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger 'spent' is a common word and can easily collide with ordinary dialogue, causing unintended expense logging. Since the skill auto-saves financial entries, false activation may create inaccurate financial records or store sensitive spending information without clear user intent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill stores reminders, notes, contacts, expenses, and other personal information across multiple local files, but the user-facing description does not prominently warn that this data is persisted across sessions. Users may provide sensitive personal content believing it is ephemeral, creating a privacy and consent problem even without network exfiltration.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal