ClawHub

Water Coach

Security checks across malware telemetry and agentic risk

Overview

Water Coach mostly does hydration tracking, but this package includes an unrelated MCP-control skill and reads agent session transcripts, so it needs review before installation.

Install only after reviewing or removing the bundled skills/mcporter directory and deciding whether you are comfortable with Water Coach reading local OpenClaw session transcripts for audit message IDs. Keep audit_auto_capture disabled unless you want transcript text shown in audits, configure reminder schedules deliberately, and avoid running the included tests against real tracking data because they can write test entries and counters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation presents conflicting privacy guarantees: it says transcript context is only read when explicitly using `water audit`, yet also states that `message_id` is automatically captured from the session transcript for every log entry. Even if only an identifier is captured, that still constitutes transcript-derived metadata collection and can mislead users and integrators about when conversation data is accessed or retained.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill reads session transcript files to extract recent user message IDs, giving a hydration utility visibility into unrelated conversation history. That expands the skill's access far beyond its core purpose and creates unnecessary exposure of potentially sensitive transcript data if this function is invoked or later extended.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code silently reads sensitive session transcript files for audit purposes without clear user-facing disclosure or necessity for water logging. Access to conversation transcripts can reveal secrets, personal data, and unrelated requests, making this a meaningful privacy and boundary violation in the skill context.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
get_message_context reads the latest session transcript, extracts surrounding message content, and returns it to callers. In a water-tracking skill, exposing conversation text unrelated to hydration is an unnecessary sensitive-data access path that could leak private information or enable covert prompt/context harvesting.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill description is extremely broad and authorizes listing, configuring, authenticating to, and calling arbitrary MCP servers and tools without defining clear user-trigger boundaries or safety constraints. In an agent setting, this increases the chance of unintended execution against sensitive local or remote endpoints, especially when combined with auth, config editing, and direct URL/stdio support.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill advertises config edits, authentication flows, and direct server/tool invocation but does not warn that these operations may modify local configuration, launch local commands, contact external services, or use stored credentials. This omission is dangerous because users or higher-level agents may treat the skill as routine utility functionality and trigger sensitive actions without informed consent.

External Transmission

Medium
Category
Data Exfiltration
Content
Call tools
- Selector: `mcporter call linear.list_issues team=ENG limit:5`
- Function syntax: `mcporter call "linear.create_issue(title: \"Bug\")"`
- Full URL: `mcporter call https://api.example.com/mcp.fetch url:https://example.com`
- Stdio: `mcporter call --stdio "bun run ./server.ts" scrape url=https://example.com`
- JSON payload: `mcporter call <server.tool> --args '{"limit":5}'`
Confidence
81% confidence
Finding
https://api.example.com/

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal