ClawHub

Things plus

Security checks across malware telemetry and agentic risk

Overview

This Things 3 helper is coherent, but it can modify a real personal task database from broad everyday planning language without requiring confirmation.

Install only if you want an agent to read and modify your real Things 3 database from inferred planning intent. Consider adding your own instruction that inferred captures, deletes, bulk edits, and test cleanup runs require confirmation; review the third-party Things CLI before installing; keep the Things token in the environment, not chat; and grant Full Disk Access only when necessary.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger criteria are intentionally broad and include common everyday phrases like 'I should' and 'remind me to', which can cause the skill to activate when the user is merely discussing plans rather than requesting persistence. Because this skill performs direct writes to a personal task database, over-triggering can lead to unauthorized or unexpected creation of tasks and unintended storage of personal planning data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly says to attempt writes directly and only escalate on failure, but it does not require a user-facing notice that the action will modify the local Things database. In a task-management context this creates integrity and privacy risk because normal conversation may cause silent persistent changes without the user realizing a write occurred.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The prompt is framed as a broad integrated test covering many workflows, but it does not establish strict boundaries for when such a test should be invoked or under what environment it is safe to run. In a personal task-management skill, broad trigger conditions can cause the agent to run against a real Things database rather than a sandbox, leading to unintended task creation, modification, or deletion from ordinary user conversations.

Missing User Warnings

High
Confidence
97% confidence
Finding
The prompt instructs the agent to delete everything added during the test run, retry deletions, and only stop when search results are empty, but it provides no user-facing confirmation or safety guard before destructive actions. In the context of a personal task manager, this is especially dangerous because weak scoping, ambiguous matching, or prior state contamination could cause deletion of legitimate tasks, recurring items, projects, or tags beyond the intended test artifacts.

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal