Back to skill

Security audit

Research Planner

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only research-planning skill whose privacy-sensitive study templates are expected for the purpose, but users should review consent and data handling before using them with participants.

Safe to install for research planning. Before using generated materials with real participants, review consent, recording, privacy, retention, and sensitive-data handling with legal/compliance or research-ethics reviewers, especially for regulated topics, minors, employees, workplace observation, or media capture. Prefer the Clawdhub install command unless the external GitHub/npx source has been verified.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guidance explicitly references recording as part of participation, but only requires generic consent wording and does not clearly instruct the user to obtain explicit recording disclosure and any jurisdiction-specific consent required before recording sessions. In a research-planning skill, this omission can lead users to run recorded interviews or usability tests without legally sufficient notice or consent, creating privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly asks researchers to collect longitudinal records about triggers, actions, feelings, contexts, and screenshots/photos or clips, which can easily include sensitive personal, behavioral, or third-party data. Because it provides no built-in consent, minimization, confidentiality, or handling guidance, users may deploy it as-is and collect data in ways that create privacy, compliance, and participant-safety risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly includes demographic and country/location questions plus quota rules, but it does not instruct authors to add a data-specific notice, consent language, or minimization guidance for potentially sensitive personal data. In a research-planning skill, this omission can lead downstream users to collect personal information without appropriate transparency or safeguards, increasing privacy, compliance, and participant-trust risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.