ClawHub

My skill for SmartSchedule

Security checks across malware telemetry and agentic risk

Overview

This scheduling skill is not clearly malicious, but it needs review because it can run in the background and send schedule details to chat or email with unclear controls.

Install only if you intend to use it as a shared scheduling/reminder system. Before enabling cron, DingTalk, or email summaries, confirm who can see schedule entries, where messages are sent, how to disable the jobs, and whether sensitive notes should be excluded from reminders.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill directs the agent to run local Python scripts and therefore implicitly requires filesystem access, yet no permissions are declared. This creates a governance gap: the skill can read local files and operate on a SQLite database without an explicit permission boundary, making review, sandboxing, and user consent weaker.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill claims that all schedule operations go through schedule_manager.py, but it also invokes other scripts and autonomous reminder flows through cron and external message delivery. This mismatch hides meaningful capabilities from reviewers and users, increasing the chance that persistent background execution and outbound notifications are enabled without informed approval.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README describes a server-hosted, DingTalk-accessible shared scheduling service, which materially differs from the metadata claiming a local schedule manager. This kind of scope mismatch can mislead reviewers and operators about trust boundaries, exposure surface, and who can access or mutate data, increasing the chance of unsafe deployment and unauthorized access.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documentation lists operational behaviors outside the declared boundary that all schedule actions occur through schedule_manager.py, including reminder scripts, email handling, config, and scheduled jobs. Undocumented or boundary-breaking components create hidden execution paths and side effects that may bypass expected controls, review, and auditing.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The skill instructs the agent to obtain chat-context identifiers and send proactive DingTalk messages, which expands it from local schedule CRUD into outbound communications using contextual identifiers. In a shared-team calendar context, this can expose schedule content to unintended recipients or allow unauthorized message routing if the context is misidentified or spoofed.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill tells the agent to create persistent cron jobs in a user home-directory path, giving it ongoing scheduled execution beyond the immediate user request. Persistent autonomous execution increases the blast radius of mistakes or abuse, especially when paired with scripts that read local data and send notifications.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The documentation states that all schedule operations use schedule_manager.py, but later sections rely on other scripts and cron-triggered autonomous runs for reminders and summaries. This inconsistency weakens transparency and can cause reviewers or users to underestimate the skill’s real execution paths and data flows.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The activation guidance uses very broad terms like schedules, meetings, reminders, and trips, which can cause the skill to trigger in routine conversation without clear user intent. Because this skill can modify shared team data and install reminder automation, accidental invocation can lead to unintended changes or disclosures.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill describes shared-team scheduling and reminders but does not prominently warn users that calendar entries and reminder content may be visible to others. In a shared SQLite-backed system, privacy expectations are easily violated if users assume they are managing personal rather than team-visible schedules.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The group-mode reminder instructions tell the agent to send reminders to a group conversation without a strong warning that schedule details will be exposed to all group members. In context, this is especially risky because the skill manages team-shared data and can push content proactively every five minutes, amplifying accidental disclosures.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The document describes automatic emailing of schedule details, including title, time, location, and notes, to an external SMTP service without emphasizing consent, data-minimization, or recipient safeguards. In a scheduling skill, this increases the risk of unintended disclosure of potentially sensitive internal meeting information to misconfigured or unauthorized recipients.

Missing User Warnings

Low
Confidence
72% confidence
Finding
The skill proactively pushes DingTalk reminders in the background, which is outbound messaging on behalf of the user or team. While expected in a reminder system, undocumented or implicit automatic delivery can still cause privacy, consent, or message-routing issues if staff IDs or channel targets are misconfigured.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script automatically emails upcoming schedule details, which may include sensitive titles, locations, and descriptions, to a configured recipient without any consent, disclosure, minimization, or confirmation in the code path. In a local team schedule-management skill, this increases privacy and data-leak risk because routine cron execution can continuously exfiltrate operationally sensitive information if the recipient or SMTP configuration is wrong or compromised.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal