ClawHub

Dad.skill

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only parenting helper that clearly discloses local storage of family notes and shows no hidden execution, networking, or destructive behavior.

Install only if the family is comfortable keeping child routines, schedules, and parenting notes in local plain-text files. Use clear prompts and confirmation before saving or revealing sensitive details, review companion mom.skill data-sharing expectations, delete ~/.dad-skill/family/ to remove stored data, and rely on a pediatrician for medical concerns.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases for Activity Mode include very generic everyday language such as "What should we do?" and "Weekend ideas?", which can easily appear in normal conversation unrelated to this skill. That creates a prompt-squatting risk where the skill may activate unintentionally, exposing private family context or causing unintended reads/writes to local memory.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Bonding Mode activates when "Dad reports a moment with baby," which is an ambiguous behavioral condition rather than a precise invocation phrase. This makes it easy for ordinary conversation to be misinterpreted as a command, potentially causing unintended persistence of sensitive family memories and behavioral data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Night Mode is configured to trigger on "Any question between midnight and 6am on dad's shift," which is extremely broad and context-driven. A wide activation window tied to time rather than explicit invocation increases the chance of accidental activation and disclosure of sensitive child-care history or recommendations during unrelated late-night conversation.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal