Security audit

Todolist Md Clawdbot Copy

Security checks across malware telemetry and agentic risk

Overview

The skill matches its Google Drive todo-file purpose, but it uses persistent broad Drive credentials and local credential forwarding that users should review before installing.

Install only if you are comfortable granting this skill persistent Google Drive access. Prefer a dedicated Drive folder or account, verify the gog binary and OAuth client you use, start with dry runs or a small folder, keep Drive revision history/backups, and revoke/delete stored tokens when you stop using it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The script forwards credential-bearing environment variables into child processes using sudo env, exposing secrets to any invoked gog process and potentially to local process inspection, logging, or debugging surfaces. In an agent/automation context, this increases the blast radius of compromised subprocesses or misconfigured host observability tooling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal