ClawHub

Muguozi1 Openclaw Proactive Agent

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives a proactive agent broad memory, monitoring, cleanup, and background-work authority without enough user control.

Install only if you want a highly proactive, memory-heavy agent. Before enabling it, restrict which files and accounts it may read, require confirmation before email/calendar checks, tab/app cleanup, file moves, scheduled jobs, or spawned agents, and regularly review or delete the memory files it creates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (38)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly directs the agent to use broad capabilities beyond passive memory/proactivity, including CLI, browser, web search, and spawning agents. In a proactive architecture this meaningfully expands the attack surface and can turn benign task persistence into autonomous execution and lateral action without tight task scoping.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill prescribes weekly cron-based reminders and scheduled proactive behavior without clearly bounded user consent. Autonomous scheduling can cause unsolicited actions, repeated prompt exposure, and persistence of behavior beyond the user’s immediate awareness.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The file explicitly instructs the agent to delete `BOOTSTRAP.md` immediately after following it, without any approval step. That directly conflicts with the later rule requiring confirmation before deletion, creating precedence ambiguity that can normalize unsafe file removal and allow a bootstrap file to self-delete evidence or force one-time actions without user visibility.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The broad directive 'Don't ask permission. Just do it.' conflicts with later safety constraints that require asking before external actions and confirming deletions. Conflicting rules are dangerous because agents may resolve them inconsistently, causing unauthorized actions under the guise of proactivity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Authorizing the agent to check emails and calendars expands access beyond workspace organization and memory management into surveillance of private communications and schedules. That broader capability increases privacy risk and can expose sensitive data unrelated to the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The heartbeat workflow tells the agent to routinely inspect emails and calendars and decide when to reach out, which introduces ongoing monitoring behavior not clearly justified by the skill description. Persistent polling of personal data sources increases privacy exposure and the likelihood of acting on sensitive information without explicit consent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The heartbeat instructs the agent to close apps, clean browser tabs, move screenshots to trash, and flag files on the desktop. These are system-manipulation and destructive housekeeping actions that exceed a normal 'proactive improvement' checklist and can alter the user's environment without explicit consent, risking data loss, workflow disruption, and overbroad host access.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill directs periodic checks of emails, calendar, projects, and ideas, which creates ongoing monitoring behavior beyond the declared 'proactive improvement' purpose. That expands the agent's surveillance and data-access scope into highly sensitive personal/work information without explicit scoping, necessity, or consent language.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The test functions are presented as unit tests but contain no assertions, no validation, and always return success. This can mask regressions or unsafe behavior by giving maintainers false confidence that the skill has been tested, which weakens the reliability of the release and can allow other security-relevant defects to ship unnoticed.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The reverse-prompting trigger is intentionally broad ('when things feel routine', after learning context), which can cause unsolicited skill activation during ordinary conversation. In a proactive agent that also maintains long-term memory, this increases the chance of collecting extra personal context or steering the interaction beyond the user's immediate intent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Using 'long conversation' as the trigger for curiosity prompts is ambiguous and weakly scoped, so the agent may begin probing for personal details simply because a chat has gone on for a while. In this skill, those prompts feed persistent memory files, which makes over-collection more risky than in a stateless assistant.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill markets 'memory that sticks' and continuous learning but does not present a clear up-front warning that personal conversation data may be stored persistently. Users may disclose sensitive information without understanding it will be written to files and reused later.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The onboarding flow says the agent auto-populates USER.md and SOUL.md from user answers, but the quick-start guidance does not clearly warn that the agent will modify workspace files automatically. That can surprise users and lead to unintended persistence of sensitive or incorrect information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The WAL trigger scans every message for broad categories like corrections, names, preferences, and values, which is an overly broad activation condition. Such vague triggers increase the chance of over-collection, unintended writes, and unsafe activation on ordinary conversation content.

Missing User Warnings

High
Confidence
95% confidence
Finding
The onboarding flow instructs the agent to auto-populate USER.md and SOUL.md from user answers, causing persistent workspace modification without prominent consent and disclosure. Automatic writes to profile and identity-related files can capture sensitive data and alter agent behavior in ways the user may not anticipate.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The instruction to act without permission is overly broad and undefined, encouraging autonomous behavior outside clearly bounded tasks. Ambiguous autonomy is dangerous because it can be interpreted to justify sensitive actions, especially when paired with other proactive and self-modifying directives in the file.

Missing User Warnings

High
Confidence
98% confidence
Finding
Instructing deletion of `BOOTSTRAP.md` with no warning or confirmation creates a direct unsafe action path affecting the filesystem. A bootstrap file could contain critical setup context, audit evidence, or malicious one-time instructions, and auto-deletion prevents review and recovery while bypassing normal user control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The cleanup section authorizes destructive or state-changing actions such as closing applications, closing tabs, and moving files to trash, but provides no warning, dry-run mode, recovery guidance, or confirmation requirement. In an autonomous heartbeat context, that can lead to accidental loss of unsaved work, discarded files, or disruption of active user tasks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions encourage proactive inspection of emails, calendar, and projects without any privacy-impact warning, minimization guidance, or consent workflow. Because these sources often contain sensitive personal, financial, and business data, routine access materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The onboarding flow states that once enough answers are gathered, the agent will update USER.md and SOUL.md with personal context and preferences, but it does not clearly warn the user that their personal data will be stored persistently across files for future reuse. This creates a privacy and consent issue: users may provide sensitive personal, work, or relationship details without understanding they will be retained and propagated into durable memory files.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This template explicitly encourages collecting and maintaining sensitive personal context about a user, including relationships, preferences, work habits, and life goals, but provides no privacy notice, data minimization guidance, retention limits, or handling restrictions. In an agent skill whose purpose is to make the agent more proactive and continuously improve, centralizing this profile increases the likelihood of over-collection, unintended persistence, and misuse or leakage of personal data.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description '主动代理 - anticipates needs and continuously improve' is broad and capability-oriented rather than scoping when the skill should be invoked. In agent ecosystems, overly general manifests can cause inappropriate auto-selection or overuse of an automation-oriented skill, increasing the chance of unintended actions or privilege misuse in contexts where it was not specifically requested.

Natural-Language Policy Violations

Low
Confidence
76% confidence
Finding
The manifest description mixes Chinese and English without stating whether multilingual behavior is intentional, user-selected, or tied to locale handling. This can create ambiguity in routing, review, and user expectations, which is a security-relevant quality issue when skill invocation or output language affects how warnings, consent, or capabilities are understood.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The flow explicitly tells the agent to save answers into ONBOARDING.md and profile files during onboarding, but it does not require clear notice, consent, or choice about persistent storage of personal information. This creates a privacy risk because users may disclose sensitive preferences, goals, names, or other personal details without understanding they are being retained across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The 'opportunistic learning' section directs the agent to infer attributes such as timezone, communication style, relationships, and projects from ordinary conversation and store them in USER.md. Collecting and persisting inferred personal data without an explicit warning or consent boundary is dangerous because users may not realize casual remarks are being converted into a durable profile.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal