ClawHub

reminder research

Security checks across malware telemetry and agentic risk

Overview

This skill openly turns Apple Reminders notes into automated agent tasks, but the trigger and permissions are broad enough that normal reminder text could cause real file, API, calendar, or smart-home actions.

Install only if you deliberately want Apple Reminders to drive real agent actions. Use a dedicated Reminders list or explicit command prefix, start with manual runs, avoid shared or sensitive reminders, and require human approval before file edits, commits, calendar changes, public issue creation, API mutations, or smart-home automation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (12)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger logic executes on essentially any reminder that contains notes and lacks the 🤖 marker, which is an extremely broad activation surface for an agent capable of file edits, API calls, calendar changes, and home automation. In this context, ordinary reminder text can be unintentionally interpreted as actionable commands, creating a real risk of unauthorized or surprising side effects from benign user content.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description promotes a generic natural-language task queue with automated heartbeat processing, reinforcing that arbitrary reminder content may be picked up and executed without a narrowly defined command boundary. While descriptive text alone is not executable, here it accurately signals an unsafe design pattern: autonomous interpretation of broad user-authored text tied to powerful actions.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises autonomous execution across files, calendars, GitHub, Home Assistant, and web research without any visible warning, approval gate, or limitation on sensitive operations. Given the broad trigger conditions and powerful integrations, this omission materially increases the chance of data leakage, destructive edits, unwanted external actions, or privacy-impacting automation being performed from routine reminder text.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The architecture specifies automatic modification of reminder notes, including overwriting them with generated content, without any explicit user consent, preview, or rollback mechanism. This can alter user data unexpectedly, destroy original instructions/context, and make the system unsafe in unattended cron execution.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Reminder contents and note text are used for web-based research and multi-source processing, which can send potentially sensitive personal task data to external services without clear warning or consent. Because reminders often contain private information, this creates a real privacy and data-exfiltration risk.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script forwards reminder titles and notes verbatim into downstream EXECUTE records without validation, consent prompts, or trust boundaries. In the stated skill context, reminder notes are intended to drive later agent behavior, so untrusted personal reminder content can become implicit instructions for an automated system with broad connected capabilities.

Natural-Language Policy Violations

High
Confidence
96% confidence
Finding
The documented policy says any reminder note lacking the processed marker should be executed and that the agent can do 'ANYTHING,' which removes meaningful authorization boundaries. In this skill context, that is especially dangerous because the metadata explicitly lists file editing, API access, and other skills, so a simple reminder note can become a high-privilege automation trigger.

Ssd 1

High
Confidence
98% confidence
Finding
The design treats arbitrary reminder notes as instructions for the AI to follow, effectively making untrusted user-controlled data a command channel. Any party able to create or modify reminders can steer tool use, influence data access, and trigger unintended actions, which is a classic prompt-injection/control-flow vulnerability.

Ssd 1

High
Confidence
98% confidence
Finding
The processing logic explicitly parses natural-language instructions from notes and uses them to drive multi-source behavior across tools and skills. This gives attacker-controlled text influence over tool selection and data flow, substantially increasing the chance of prompt injection, exfiltration, or unsafe side effects.

Ssd 4

Medium
Confidence
88% confidence
Finding
The workflow escalates from simple reminder handling to custom-instruction execution without meaningful trust boundaries, making a routine personal productivity channel capable of driving more powerful agent actions. This is dangerous because it normalizes privilege expansion from low-risk inputs to higher-risk operations.

Ssd 4

Medium
Confidence
91% confidence
Finding
The evolution history explicitly celebrates increased flexibility by letting note text steer agent behavior, which reflects a design trend toward broader interpretation of untrusted inputs. In security terms, this increases attack surface and makes future unsafe capability creep more likely, especially in scheduled autonomous runs.

Ssd 1

High
Confidence
95% confidence
Finding
The execution policy semantically treats arbitrary reminder note text as control input for an agent, creating a prompt/command injection boundary failure. Because reminders are normal user content rather than a secure control channel, any note content, accidental phrasing, or maliciously inserted reminder can steer downstream automation into unsafe actions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal