ClawHub

Project Manager Pro

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real local task manager, but it needs Review because first-run setup can execute a shell script that may install system packages with sudo before clear user approval.

Review the shell scripts before installing. Do not allow setup.sh to run automatically unless you accept possible jq installation and sudo prompts; installing jq yourself first reduces that risk. Keep cross-tool integrations disabled unless you are comfortable copying financial, meal, fitness, or content-planning details into local plaintext task files and agent-visible check-ins.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The script’s header comments state it only creates a data directory and initializes empty stores, but it also installs jq and may invoke system package managers with elevated privileges. This mismatch is security-relevant because users may run the script with a lower expectation of system impact, enabling unexpected modification of the host environment.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The script is presented as a read-only weekly review generator, but it also performs state-changing actions by archiving completed tasks and deleting them from the active task file. This mismatch is dangerous because an agent or user may invoke it expecting reporting only, causing unintended data mutation and potential loss of active records if archiving fails, duplicates accumulate, or the archive logic is not desired.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The setup prompt instructs the agent to run setup.sh before the conversation begins and later write settings.json/create a data directory, but it provides no explicit user-facing disclosure or confirmation before those side effects occur. Silent shell execution and file-system writes during installation increase risk because a modified or overly-privileged script could change local state unexpectedly or be abused to execute arbitrary commands.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill specifies automatic cross-tool task creation and stores resulting items in a persistent local task database, but it does not require explicit user consent or a clear notice that data from other tools will be propagated into this store. This can expose sensitive information across contexts, create unexpected records, and broaden the privacy impact of any upstream data disclosure or compromise.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill defines proactive scheduled check-ins driven by stored task data, but does not clearly warn the user that the agent may initiate messages automatically based on persisted personal information. While lower severity than cross-tool propagation, this still creates a privacy and consent risk because notifications may surface sensitive task details at unexpected times or in inappropriate contexts.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The examples describe broad event-driven task generation from other tools without defining strong scope boundaries, confirmation requirements, or disambiguation rules. In practice, ambiguous triggers can cause unintended task creation, noisy automation, and action suggestions based on inferred user behavior across apps, which becomes a security and safety issue when automated workflows influence user decisions or expose sensitive context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file promotes automatic cross-tool task creation using data from expense, meal, fitness, and content tools, but it does not warn users that information from one tool may be surfaced in another. This can leak sensitive financial, health, routine, or behavioral data into broader task views, notifications, logs, and shared contexts, increasing privacy risk even if the feature is functioning as designed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically rewrites tasks.json and archive files without any prior warning, confirmation, or dry-run mode. In an agent context, this is risky because routine scheduled execution can silently modify user data, and any malformed archive file, duplicate archival, or interrupted write can lead to confusing state changes or data loss.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal