ClawHub

Skill Stuff

Security checks across malware telemetry and agentic risk

Overview

This is advertised as a daily recap skill, but the package also contains many unrelated automation skills for email, finances, posting, contacts, cloud agents, and appointments.

Install only after confirming this package is meant to be a multi-skill collection, not just main-character-recap. If you only want the recap feature, ask the publisher to ship a clean version containing only the recap files and clearly declared data sources, cron behavior, storage, and delivery controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (291)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The file's behavior is fundamentally misaligned with the declared skill purpose: instead of producing TV-show-style daily recaps, it defines a full multi-platform content marketing and publishing pipeline. This kind of capability drift is dangerous because it can cause an agent selected for a harmless recap task to draft promotional content, generate assets, and initiate publication-oriented workflows the user did not reasonably authorize.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The file introduces approval, deployment, and auto-posting commands that enable external publication workflows unrelated to the stated recap-only function. In context, this is especially dangerous because a user invoking a lighthearted summary skill would not expect it to queue or publish content, creating risk of unauthorized posting, reputational harm, and accidental data disclosure through external systems.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file directs the generation and storage of OG marketing images for multiple public platforms, which exceeds the stated purpose of generating a daily recap. While less severe than auto-posting, this still creates unjustified asset production and storage that could expose user themes, branding details, or recap-derived content in files the user did not intend to create.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest declares only web_search and web_fetch, but the skill body instructs the agent to perform actions requiring stronger capabilities: browser-driven form submission, calendar access, persistent storage, and scheduled outbound reminders. This creates a dangerous capability mismatch where users and platform policy may assume a read-only/search-only skill, while the skill is designed to handle sensitive appointment and health workflows with hidden state and automation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill directs the agent to register isolated cron jobs that later send reminder messages, introducing autonomous future execution and message delivery beyond the declared appointment-search scope. Scheduled execution is risky because it can continue operating on stored sensitive data outside the user's immediate interaction and without clear capability disclosure or repeated consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill's documented behavior expands from passive bill tracking into active Gmail scanning and external web searching, which materially increases the data access and action surface beyond what users may infer from the name and description. This is dangerous because it can cause the agent to process sensitive financial emails and transmit derived user context to outside services without a narrowly scoped, clearly consented workflow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Scanning Gmail for keywords like "bill", "invoice", and "statement" grants access to a broad set of personal communications that may include sensitive financial, medical, legal, or household information unrelated to the monitoring task. In this skill context, the access is especially risky because the subject matter is household finances, so overcollection can expose highly sensitive data if the scan is overbroad or compromised.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation claims bill data stays local and is never shared externally, yet the switch advisor explicitly performs web searches against external services to compare rates. That inconsistency can mislead users about where their data may flow, undermining informed consent and creating a risk that financial context or location-derived details are disclosed to third parties.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill's privacy policy says it must never surface contact data in group or shared channels, yet the delivery configuration allows arbitrary channels and recipients. That creates a direct path for sensitive third-party personal data to be sent to non-private destinations, contradicting the stated safeguards and risking disclosure of birthdays, relationships, and personal notes.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The scheduled daily and weekly agent jobs automatically read contacts and generate outputs without including the mandated group/shared-session privacy validation. Because these jobs run unattended, any misconfiguration or channel change could cause recurring leakage of intimate third-party data without user review at send time.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The skill's scope expands from simple contact tracking into importing Google Contacts and scanning Gmail, which processes substantial third-party personal data beyond what users may expect from the description. Even if intended for convenience, this broadens collection and analysis of sensitive data and increases the blast radius if mishandled or exposed.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Scanning Gmail for milestone signals such as job changes, congratulations, and LinkedIn updates is a broad monitoring capability that can infer sensitive life events about third parties from private communications. In the context of a personal relationship tool, this is more dangerous because it normalizes passive surveillance of other people's personal information rather than requiring deliberate user-provided updates.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The document says the skill is on-demand, but it also supports scheduled pulls via cron and automatic delivery to a configured channel. That mismatch can lead users to authorize what they believe is one-time analytics access while the skill continues periodic data collection and redistribution, increasing privacy and consent risk.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Writing intelligence summaries into pieces.md for consumption by another skill creates cross-skill data propagation beyond the dashboard's stated analytics function. This broadens the data-sharing surface and can leak behavioral or performance data into downstream workflows without a clearly bounded user authorization model.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill metadata declares only the browser tool, but the Reddit pre-posting flow explicitly instructs use of web_fetch to read subreddit rules. This capability mismatch can cause the agent to reach for an undeclared tool or fail open, weakening tool-boundary guarantees and making behavior less auditable in a high-risk skill that performs authenticated posting actions.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The manifest presents the skill as a lightweight reflection tool, but later functionality includes optional access to calendar and meeting-prep notes. That mismatch can undermine informed consent because users may enable or invoke the skill without realizing it may inspect additional personal data sources.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Prompted mode accesses calendar and meeting-prep notes to personalize questions, which expands data exposure beyond a simple three-question debrief. Even if intended to improve relevance, this creates unnecessary privacy risk unless the access is narrowly scoped, user-approved, and transparent.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is presented as a local expense logger, but it also introduces Gmail receipt scanning, which expands access to a much broader set of personal data than users may reasonably expect from the manifest and description. This creates a scope/consent mismatch that can lead to over-collection of financial and email metadata if invoked without a clearly separate, explicit opt-in flow.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Retrospective scanning of up to 3 months of Gmail receipt emails materially increases the amount of sensitive data the skill can access beyond a narrow single-receipt logging workflow. Even if framed as seeding data, the capability broadens the attack surface and raises privacy risk because mailbox scanning can expose purchase history, merchants, dates, and potentially adjacent email content.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The skill claims that data never leaves local memory files and is never sent to external services, yet earlier sections require accessing Gmail to scan receipts. This contradiction is dangerous because it misrepresents actual data flows, undermines informed consent, and may cause users to expose sensitive financial email data under false privacy assurances.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill directs the agent to pull data from Google Calendar and Contacts despite declaring only the web_search tool, creating a capability/spec mismatch. This can mislead deployers about what data the skill expects to access and encourages collection of sensitive personal information (birthdays, relationships, contact data) without an explicit, authorized integration path.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to scan Gmail for appointment confirmations, pharmacy receipts, and test-result emails, which expands access from a local personal health log into a broad and highly sensitive mailbox data source. In a health-context skill, this is especially dangerous because email may contain protected health information, provider identities, diagnoses, prescriptions, and unrelated sensitive correspondence, creating unnecessary data collection and risk of overreach beyond the minimum needed purpose.

Scope Creep

High
Confidence
95% confidence
Finding
The skill instructs the agent to scan a local dropzone and read/update config.md and state.md, but the manifest only declares browser and web_fetch. This creates a capability/documentation mismatch that can cause unsafe assumptions about what the skill is permitted to access and may encourage execution in environments with broader implicit filesystem privileges than intended.

Scope Creep

Medium
Confidence
97% confidence
Finding
The skill's core function depends on searching Gmail and retrieving attachments, yet the allowed-tools list omits a Gmail-capable tool while the metadata separately claims an MCP requirement. This inconsistency can bypass operator expectations, lead to unauthorized mailbox access in permissive runtimes, and weakens auditable enforcement around sensitive financial email data.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The embedded skill content is materially different from the declared skill metadata: the metadata says this is a TV-show-style daily recap skill, while the file actually implements a job-search assistant that collects and manages sensitive career data. This kind of capability mismatch is dangerous because it can cause users or a host platform to authorize a benign-seeming skill while actually exposing private employment information and enabling unrelated behaviors.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal