ClawHub

Mom.skill

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local baby-care logging skill with privacy cautions, but no hidden code, network transmission, credential use, or destructive behavior was found.

Install only if you are comfortable keeping baby-care and caregiver-routine details in local plain-text files. Use explicit logging and briefing requests, avoid shared-device access unless all caregivers consent, treat outputs as a memory aid rather than medical advice, and delete ~/.mom-skill/babies/ when you no longer want the records retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 3am Mode trigger activates on any question asked between midnight and 6am, which is overly broad and can cause the skill to respond in situations unrelated to baby tracking. That creates unintended invocation risk, especially because the mode changes behavior to terse, action-oriented answers without clear confirmation that the user wants this skill engaged.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using 'Parent reports an observation' as a trigger is too vague, so normal conversation may be interpreted as structured logging. In a skill that stores sensitive family and child-related observations persistently, unintended logging can create privacy, integrity, and consent problems.

Vague Triggers

Medium
Confidence
81% confidence
Finding
Briefing Mode can be activated by common conversational phrases like 'How was her day?' or 'What did I miss?', which are likely to appear in ordinary chat. In a multi-caregiver context, accidental activation could reveal private baby-care history or summaries to the wrong user or at the wrong time.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal