ClawHub

secretary-core-秘书核心模块

Security checks across malware telemetry and agentic risk

Overview

This secretary skill is purpose-aligned, but it asks users to trust broad workplace messaging, calendar, memory, and profiling behavior without clear limits or confirmation controls.

Install only if you are comfortable reviewing and constraining the skill yourself. Use least-privilege dedicated bot tokens, restrict channels and calendar scopes, require explicit confirmation before sending messages or changing schedules, and avoid relying on claims that actions were completed unless you verify the connected backend actually performed them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill documentation materially overstates and misstates behavior, claiming implemented capabilities such as 20-turn context retention and multi-platform integrations while the analysis indicates some features are only partially implemented or not implemented at all. In an assistant that can send notifications, manage schedules, and potentially learn user habits, this mismatch can cause operators to grant trust, tokens, and permissions under false assumptions, increasing the chance of unsafe deployment and unintended data handling.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The README claims 'local processing, no cloud upload, no data collection, no logging' while earlier examples imply sending notifications, preparing meeting materials, and integrating with external enterprise platforms. These statements can mislead users about where data goes and what side effects occur, creating privacy and consent risks if users assume no external transmission occurs.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The response logic tells users that meetings were arranged or reminders were set even though the code only generates text and updates local conversational state. In an assistant handling scheduling and reminders, this can cause users to rely on actions that never occurred, leading to missed meetings, missed deadlines, or operational mistakes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The document explicitly describes permanent storage of conversation history in SQLite and semantic retrieval of memories, but provides no mention of consent, retention limits, access controls, deletion, or privacy notice. In a secretary/assistant skill that handles scheduling, work context, and interpersonal data, long-term storage materially increases privacy and surveillance risk if users are unaware or if the data is later exposed or misused.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill describes learning user preferences, working hours, priorities, expression habits, and frequent functions from behavior patterns and feedback without any privacy warning or transparency mechanism. Because this assistant is designed to infer personal and workplace behavior, undisclosed profiling can create significant privacy harm, unexpected monitoring, and downstream misuse of sensitive behavioral data.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The skill presents very broad conversational inputs such as commands, suggestions, statements, emotions, and ambiguous phrases without defining clear activation boundaries or requiring explicit confirmation for operational actions. In an assistant that manages schedules and messaging, this can cause unintended task execution from ordinary conversation or vague prompts.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README shows the assistant automatically arranging meetings, notifying attendees, preparing client data, route plans, and reminders without clearly warning users that these actions may affect calendars, messages, or external systems. In the context of integrated enterprise platforms, such undocumented automation increases the risk of unauthorized disclosures, accidental notifications, and unintended state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The release notes describe 7-day habit learning based on user interactions, active hours, decision style, and communication preferences, but provide no notice, consent, retention, or control information. In an assistant integrated with workplace platforms, this creates a real privacy and profiling risk because users may be behaviorally monitored without informed choice or clear limits.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation advertises predictive actions such as replying to emails, sending reminders, and booking meeting rooms without clearly stating whether these are suggestions only or actions requiring confirmation. In a secretary skill connected to Feishu, DingTalk, and WeCom, ambiguity around autonomous state-changing behavior can lead to unauthorized actions affecting user data, communications, and scheduling.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The description highlights convenience features but omits clear warnings that the skill can proactively message users and send external notifications across multiple platforms. For a secretary-style agent, proactive outbound communication can expose sensitive scheduling or contextual information to unintended recipients, especially if users do not realize the skill may act without a contemporaneous prompt.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The calendar management section describes create/edit/delete functionality without warning that the skill can modify or remove schedule data. In a scheduling assistant context, silent or poorly explained calendar write access can cause business disruption, missed meetings, or unauthorized tampering with user records if the capability is misunderstood or over-trusted.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill retains raw user messages, extracted entities, and learned contacts in memory across turns without any minimization, consent, retention limit beyond recent_turns, or sensitivity controls. In a secretary context, those messages may contain names, schedules, locations, and other personal or business-sensitive data that can later be reused or exposed unintentionally.

Ssd 3

Medium
Confidence
89% confidence
Finding
The skill stores raw user text in conversation history together with inferred emotion, intent, and timestamps, which can include sensitive personal or business information. In an assistant context handling scheduling, workplace communication, and emotional content, retaining full utterances without minimization, consent, retention controls, or redaction increases privacy leakage risk if logs are exposed, reused, or surfaced unintentionally.

Ssd 3

Medium
Confidence
88% confidence
Finding
The skill stores up to 20 turns of raw conversation content together with timestamps and metadata in memory, creating a pool of potentially sensitive user data. In an assistant that handles scheduling, reminders, and enterprise communications, those messages can contain personal or business-sensitive information, and retaining them without minimization, masking, access control, or retention controls increases privacy and disclosure risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
The habit-learning component accumulates longitudinal interaction metadata, including timestamps, message/response characteristics, and inferred behavioral patterns such as active hours and communication preferences. Even without full message bodies, this creates a behavioral profile that can reveal work routines and user habits, which is sensitive in a secretary-style assistant integrated with workplace tools.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal