ClawHub

Easy TODO list management for busy crustaceans and their humans

Security checks across malware telemetry and agentic risk

Overview

This is a local TODO manager that stores tasks on disk and can produce scheduled reminders, with no evidence of hidden network access or destructive behavior.

Install this if you want a local Node-based TODO file with recurring tasks and scheduled summaries. Do not put secrets or highly sensitive notes in tasks, confirm whether your agent environment will actually send proactive morning/evening messages, and leave TODOS_FILE unset unless you intentionally want a different task-store path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Low
Confidence
92% confidence
Finding
The skill allows the storage file path to be overridden via the TODOS_FILE environment variable, which means an external caller can direct reads and writes to arbitrary filesystem locations accessible to the process. In an agent or automation context, this expands the tool's scope beyond a personal TODO file and can overwrite or corrupt unrelated files, even though the code appears intended for convenience rather than abuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send proactive morning and evening messages on a schedule without any explicit user opt-in, warning, or control mechanism. Unsolicited outbound messages can violate user expectations, leak sensitive task information at inopportune times, and create notification abuse or privacy issues, especially for a personal TODO manager handling deadlines and notes.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal