Back to skill

Security audit

Woop Daily

Security checks across malware telemetry and agentic risk

Overview

This WOOP coaching skill is mostly coherent, but it silently self-updates and stores sensitive reflection history by default, so it needs user review before installation.

Install only if you are comfortable with the skill running startup shell commands, automatically updating itself, setting reminders when requested, and saving personal WOOP history under `~/.woop-daily`. Safer use would require removing the auto-update block and making logging/history recall explicit opt-in with clear delete controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The changelog explicitly documents autonomous self-update behavior for a skill whose stated purpose is a conversational WOOP exercise. Even though this is only a changelog entry, it indicates the skill may perform actions outside its narrow user-facing scope, creating supply-chain and integrity risk if updates occur without explicit user initiation and review.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Automatically executing `clawhub update` is a privileged system-modifying action that is unrelated to a WOOP reflection skill’s core function. In this context, autonomous package/tool updates increase the attack surface substantially because a non-administrative wellness interaction should not trigger background software changes.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The changelog describes persistent logging of WOOP sessions and later retrieval for review, which goes beyond a transient conversational exercise and creates privacy and retention risks. Reflection content can contain sensitive emotional, behavioral, or health-adjacent personal data, so silent persistence is materially risky even if intended as a feature.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
Persistent local session logging is not clearly necessary for the manifest’s narrow conversational purpose and introduces unnecessary data exposure. In a self-reflection skill, stored journals can reveal intimate personal patterns, making even local files sensitive targets for accidental disclosure or later misuse.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is presented as a short guided WOOP conversation, but its startup logic performs silent self-update behavior and reads changelog data from external/local sources before the conversation begins. This expands the trust boundary far beyond the declared purpose and introduces supply-chain and unexpected-code-change risk without explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest frames the skill as a paced reflective dialogue, yet it also supports reminders and persistent storage of session content. This mismatch can mislead users about what the skill actually does, especially when it stores sensitive personal goals and obstacles that a user may assume are ephemeral.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A silent network-based self-update is unrelated to the core function of guiding a WOOP exercise and allows the skill's behavior to change outside the reviewed artifact. That creates a supply-chain risk: a compromised update source or malicious release could alter future prompts, tool usage, or data handling without the user's awareness.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Background automatic updates without a clear warning undermine user autonomy and can cause silent system changes. In the context of a wellness/chat skill, this mismatch is especially concerning because users do not reasonably expect maintenance operations to run as part of a reflective conversation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Automatic session logging to user files without an explicit privacy warning is a genuine transparency and privacy issue. Because WOOP exercises may capture sensitive goals, obstacles, and emotional states, undisclosed persistence can violate user expectations and expose personal data on disk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README advertises automatic triggering on broad natural-language phrases such as wanting to make progress or set a goal. In agent environments, broad triggers can cause unintended activation during ordinary conversation, which may steer users into an unrequested coaching flow and override the expected interaction boundary.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The activation criteria are broad enough to match common expressions like feeling stuck, wanting goals, or feeling messy, which can cause unintended invocation in unrelated contexts. That increases the chance the skill activates and begins collecting or reusing personal content when the user did not specifically ask for this skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill mandates writing detailed session data—wish, outcome, obstacle, and plan—to persistent local files without clear upfront notice in the user-facing description. Because WOOP content can include sensitive emotional disclosures and personal struggles, undisclosed retention materially increases privacy and confidentiality risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The startup routine automatically reads prior session logs and surfaces recent entries to influence future conversations without an upfront privacy warning. Even if local-only, this creates unannounced reuse of sensitive historical disclosures and may surprise users who expected each exercise to be private or isolated.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill performs automatic network-based update activity at startup without a clear warning or consent flow. Unannounced network actions increase privacy and integrity risk, especially in a reflective wellness context where users would not reasonably expect external retrieval or behavior changes as part of a 5-minute conversation.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The document explicitly treats broad everyday phrases like '帮我设定目标', '我想推进某事', and '最近好乱' as signals to start the skill, which can cause unintended invocation during normal conversation. In a conversational agent, this increases the chance the skill activates without clear user intent, potentially steering users into a structured psychological interaction they did not request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly recommends writing per-session records to persistent files and reloading recent sessions as future context, but it does not mention consent, retention limits, minimization, encryption, or handling of sensitive mental-health-style disclosures. In a conversational self-reflection skill, users may share intimate personal struggles, so persistent logging materially increases privacy and secondary-disclosure risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The instructions explicitly direct the agent to retain and reuse prior session details, including potentially sensitive personal disclosures, as part of future interactions. Persistent memory of emotional and behavioral content increases privacy risk, especially when users are discussing obstacles, self-criticism, habits, and mental state.

Ssd 3

Medium
Confidence
91% confidence
Finding
The review flow instructs the agent to quote prior plans back to the user based on stored logs, which operationalizes cross-session reuse of personal history. If others can access the same environment or if the user forgot logging was enabled, this can expose sensitive behavior-change goals and personal struggles unexpectedly.

Ssd 3

High
Confidence
99% confidence
Finding
The skill requires comprehensive background logging of all WOOP session content, including goals, feelings, internal obstacles, and plans, which are sensitive self-reflection data. Storing this by default creates a significant privacy risk if the local machine is shared, compromised, backed up insecurely, or inspected by other tools/users.

Ssd 3

Medium
Confidence
96% confidence
Finding
The guidance goes beyond simple logging and instructs the system to reuse recent conversation records as future context, which can cause sensitive user disclosures to be resurfaced unexpectedly or exposed in later interactions. Because this skill is designed for emotionally reflective conversations, the stored data may include mental state, habits, fears, and other highly sensitive personal information, increasing the harm from prompt leakage, over-retention, or unauthorized access.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.