ClawHub

人格修行系统 Daily Cultivation

Security checks across malware telemetry and agentic risk

Overview

This is a coherent daily reflection and reminder skill, but its saved journal entries and messaging channels should be treated as private-data surfaces.

Install only if you are comfortable with daily reflections being saved in the configured vault and reminders being sent through the channels you choose. Prefer a private local vault, verify the save path, channel target, timezone, and cron entries, avoid group chats for sensitive reflections, and disable auto-save or external delivery if you want a local-only workflow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (8)

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The README explicitly promotes automatic saving of users' evening reflections to local files, which can contain sensitive personal, behavioral, and mental-state data, but it does not clearly warn users about persistence, access risks, or retention. In a journaling/self-reflection skill, this creates a real privacy risk because users may not realize their entries are being stored long-term in plaintext inside a local vault or synced note system.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly states it can automatically send content to external channels and optionally save evening reflections to a local Obsidian vault, but it does not prominently require informed user consent or warn about where data will be transmitted and written. This creates a privacy and safety risk because personal reflections may be sent or archived automatically without the user understanding the persistence and exposure of that data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill includes cron configuration for recurring morning and evening messages but does not clearly warn that these scheduled tasks will continue running until modified or removed. Persistent automation can lead to unintended ongoing transmissions, spam, privacy leaks, or confusion if the user forgets that the jobs remain active after initial setup.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The configuration enables automatic saving of evening reflections to a persistent path without any visible consent or warning. Because reflections in a self-improvement journal can contain sensitive personal information, silent archival can expose private data through local compromise, syncing, backups, or unintended sharing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file configures Feishu outbound delivery to a specific target without any accompanying warning that user reflections or reminders may be transmitted to an external messaging platform. This creates a privacy risk because personal content may leave the local environment and be processed, logged, or viewed by unintended parties.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template states that completed reflections will be automatically saved locally, and the surrounding content encourages storing highly personal behavioral, emotional, and productivity data. Without an explicit user-facing consent step, privacy notice, retention policy, or safeguards around file location and access, this can lead to unintended collection and persistence of sensitive personal data on disk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The guide explicitly promotes automatic local saving of nightly reflections, which are likely to contain sensitive personal journaling data, but it does not warn users that this content will persist on disk and remain searchable, syncable, and potentially exposed through backups or shared vaults. In the context of a self-reflection skill, this is more sensitive than ordinary notes because the stored content may include intimate behavioral, emotional, or mental-health-adjacent information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation encourages sending content through Feishu, Discord, and Telegram without warning that reflection content, prompts, or configuration metadata may be transmitted to third-party services subject to external retention, monitoring, and access policies. Because this skill handles daily reflections and personal development data, routing messages through chat platforms materially increases privacy risk if users are not informed and allowed to choose safer defaults.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal