ClawHub

Poke

Security checks across malware telemetry and agentic risk

Overview

This reminder skill is not clearly malicious, but it deserves Review because it can persist timers that later run local commands, forward replies, and inject saved personal context into future agent prompts.

Install only if you trust this publisher and want a scheduler that can create OS timers and run local commands later. Avoid command hooks unless you wrote the exact script, keep path sets limited to non-sensitive files, do not store secrets in commitments, and disable or avoid vector tones unless you are comfortable with the configured embedding endpoint.

Publisher note

Afiak nothing needs any access but if claude goofed up the vibe coding please let me know. my email is bryant.eliott@gmail.com

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill stores arbitrary filesystem paths and later expands them into task/reminder content, which extends the skill beyond simple scheduling into local file-reference management. While it does not directly read file contents here, it creates a mechanism for persistent enumeration and disclosure of sensitive local paths into agent prompts or downstream outputs, which can leak environmental details or facilitate follow-on abuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The hook runner executes arbitrary local programs from reminder state using execFileSync, including pre-fire, post-fire, and reply-triggered hooks. Even without a shell, this is still arbitrary code execution under the agent's privileges, and the commands can be attacker-influenced via CLI options or persisted state, enabling destructive local actions, data exfiltration, or persistence.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The path-set feature allows arbitrary local file contents to be expanded directly into agent task prompts via `{{paths:name}}`. In a scheduling/reminder skill, this materially broadens scope from time-based orchestration into data access and exfiltration, and the documentation provides no consent, scoping, or path restrictions. If an agent can create or reference a path set, sensitive files could be silently pulled into downstream prompts or logs.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation is internally inconsistent about how to make a reminder fire during quiet hours. Earlier sections correctly state that `--no-quiet-hours` only opts a reminder out of the global default quiet-hours window, while the anti-pattern section suggests it as the normal way to fire during quiet hours instead of `--urgent`. An agent following the later guidance could schedule reminders that still remain blocked by per-reminder quiet hours, DND, or other gates, causing time-sensitive reminders to be delayed unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This documentation explicitly introduces hooks that execute local commands and launch agent prompts as part of a reminder workflow, materially expanding the skill from passive scheduling into active code/task execution. In an agent setting, that enables arbitrary side effects on the host and delegated actions in captured channels/targets, which is dangerous if a user or upstream prompt can influence hook arguments or prompt content.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The file presents arbitrary OS command execution as a normal first-class feature of a reminder skill, including service control and process management. Even without a shell, exec-style invocation still allows powerful local actions, persistence, and misuse of trusted scheduler context, making compromise or unintended side effects significantly more severe than a typical reminder capability.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The description advertises side-effect scripts and deferred agent tasks without a clear warning that these may execute commands, modify state, or trigger actions later without immediate user visibility. In a scheduling skill, deferred execution increases risk because harmful actions can occur asynchronously and may bypass the user's moment-of-execution scrutiny.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The preset instructs the agent to review the user's current notes and the broader workspace state at reminder time, but it does not clearly limit what files, folders, or data classes may be accessed. That broad scope can lead to over-collection of sensitive workspace content and unintended inclusion of private or irrelevant data in the synthesized morning plan.

Natural-Language Policy Violations

Low
Confidence
88% confidence
Finding
The timezone helper falls back to `os.userInfo().username` when a timezone abbreviation cannot be derived, which can expose the local account name in logs, notifications, prompts, or other user-visible scheduler output. In a reminder/scheduling skill, this mixes identity data into a formatting function unexpectedly and can leak host information to downstream consumers or remote recipients.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Command hooks are executed silently at the execution site, with only best-effort internal logging and no clear runtime disclosure to the user. In a scheduling skill, hidden side effects are particularly dangerous because deferred execution can obscure causality and make users unaware that a reminder will run local programs later.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
A user reply can trigger the pong command hook without any clear disclosure at the time of reply processing. This creates a dangerous implicit action path where ordinary conversational responses like confirm/cancel can cause local command execution, increasing the risk of surprise side effects, abuse through social engineering, and privilege misuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The embed() function transmits arbitrary input text and tone metadata to the service at OLLAMA_URL, which may be remote if the environment variable is changed from the localhost default. In a reminder skill, user prompts can contain sensitive personal schedules, tasks, or message content, so sending them off-process/off-host without explicit disclosure or consent creates a privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly states that commitments are stored in a local state file and later appended into future agent task prompts, but it does not present this as a user-facing privacy/security warning or obtain clear consent. This creates a real prompt-context and data-retention risk: sensitive or personal commitments may persist longer than users expect and be surfaced to future agent runs in ways that broaden exposure beyond the original interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation explicitly promotes a 'self-sustaining cycle' and 'keep poking until I reply' behavior, but it does not prominently warn about the persistence, notification frequency, or risk of repeated unwanted contact. In a reminder/escalation skill, this can enable harassment-like behavior, user surprise, or denial-of-attention through repeated notifications, especially with unlimited or recurring pokes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The file documents `--if-unconfirmed-command CMD` as a followup action without any warning about arbitrary shell command execution. In this skill context, deferred execution tied to reminders and lack of reply creates a dangerous automation primitive that could run destructive or sensitive commands later, under conditions the user may not fully anticipate.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Substituting raw file contents into task prompts without prominent disclosure creates a direct data exposure channel. Because prompts may be processed by other agents, models, hooks, or logs, users may unknowingly leak sensitive local data far beyond the reminder system's expected purpose.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to forward the user's exact message to `poke --reply`, which creates a clear data-transmission path for potentially sensitive user content. Because the document explicitly normalizes forwarding 'ANY message' that could be a reply and does not disclose this behavior or constrain what may be sent, users may unknowingly have private content transmitted and stored or processed by the CLI/backend.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file states that when heuristic matching fails, an LLM classifier may run against pending candidates, implying user message content may be sent to an LLM without any user-facing notice or consent. This is especially sensitive because reply text may contain personal or confidential information, and LLM processing can involve external services, logging, or retention beyond the user's expectations.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documented hooks can start services, launch scripts, and run reply-triggered commands, but the file does not foreground the operational risk of causing persistent or disruptive system changes. In a reminder-oriented skill, users may not expect that scheduling a poke can also schedule privileged local side effects, which increases the chance of unsafe use or social engineering.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The hook environment exposes reminder text and channel/target metadata to every invoked command, which can leak sensitive context into scripts, logs, subprocess trees, or third-party tooling. Because the docs normalize this exposure without any privacy warning or minimization guidance, operators may inadvertently pass sensitive user or routing data into untrusted scripts.

Natural-Language Policy Violations

Medium
Confidence
97% confidence
Finding
The file explicitly defines a user-facing tone as 'passive-aggressive' and instructs the assistant to add an antagonistic edge to reminders. In a reminder/escalation skill, this can produce harassing or emotionally manipulative output without user opt-in, increasing the risk of abusive messaging, reputational harm, and unsafe escalation in sensitive contexts.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The tone configuration explicitly instructs the agent to be harsh and to call out procrastination directly, which imposes a coercive communication style without explicit user opt-in. In a reminder/escalation skill, this can lead to unwanted abusive or distressing interactions, especially when messages may repeat over time or be sent during emotionally sensitive moments.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The tone guidance explicitly instructs the agent to be passive-aggressive, which can cause hostile or demeaning interactions without user consent. In a reminder and recurring nudge skill, this is especially risky because the behavior may be repeated over time, amplifying harassment, user distress, or trust erosion.

Chaining Abuse

High
Category
Tool Misuse
Content
.map(([key, value]) => `Environment=${systemdEscape(`${key}=${value}`)}`);
  const unitBase = handle.unitName;
  const deliverCmd = [process.execPath, scriptPath, "--deliver", reminderId].map(systemdEscape).join(" ");
  const cleanupCmd = `systemctl --user disable --now ${unitBase}.timer 2>/dev/null; rm -f ${handle.servicePath} ${handle.timerPath}; systemctl --user daemon-reload`;
  return [
    "[Unit]",
    `Description=Text reminder: ${reminderId}`,
Confidence
92% confidence
Finding
; rm -

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal