ClawHub

Dida Coach

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Dida/TickTick task coach, but it deserves review because it can modify tasks and local agent configuration, store OAuth secrets in plaintext, and uses broad automatic routing.

Install only if you are comfortable letting this skill read and change your Dida/TickTick tasks. Prefer the normal MCP authorization path, confirm before allowing local OpenClaw config edits, avoid the optional local OAuth helper unless needed, and protect or delete ~/.dida-coach/dida-openapi.env if you use it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (20)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs the skill to automatically write local MCP configuration and persist OAuth tokens to user home-directory files, but it does not prominently warn users that local files will be modified and credentials will be stored on disk. In an agent-skill context, undocumented config changes and token persistence increase the risk of unintended privilege expansion, credential exposure, and difficult-to-audit side effects, especially when users may copy commands without understanding the persistence behavior.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The description includes broad trigger phrases such as planning, reminders, procrastination, review, and task lookup that can overlap with ordinary conversation. Over-broad routing can invoke the skill in contexts the user did not intend, which is more dangerous here because the skill can progress from conversational coaching into file, network, and task-writing actions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill states that a single explicit write action should execute by default and that create/update/complete/move operations should proceed after only a brief description, with stronger confirmation reserved mainly for high-risk batch actions. In this context, writes affect external task systems and local productivity state, so insufficient pre-execution risk disclosure can lead to unintended task completion, rescheduling, movement, or local configuration changes that are hard for users to notice immediately.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The skill enables implicit invocation without any trigger constraints, so the agent may automatically activate a task-management skill that can read and write user tasks based on loose conversational cues. In this context, the connected MCP has write capabilities, making unintended invocation more dangerous because it could create, modify, move, or complete tasks without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger conditions include broad natural-language phrases such as user reports like '来个检查点', which can overlap with ordinary conversation and cause the skill to activate unintentionally. In a task-management skill that can complete, update, move, or reschedule tasks, accidental activation can lead to unintended workflow changes or misleading checkpoint guidance.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt instructs the agent to update task status, remarks, times, and possibly move tasks, but it does not explicitly require notifying the user that their task data will be modified. In a productivity system, silent writes can violate user expectations, create integrity issues in planning data, and amplify the risk from misclassification or prompt-trigger mistakes because state changes occur without an explicit approval checkpoint.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition includes a broad temporal/contextual clause ('月末或月初的管理回顾') rather than requiring a clear user request. That can cause the skill to activate during general discussion or periodic review contexts and perform task/query actions the user did not explicitly ask for, increasing the risk of unintended data access or state changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The prompt explicitly tells the agent to automatically write the `dida365` server configuration into OpenClaw's local `mcpServers` when the environment permits it, without requiring a clear confirmation flow, backup step, or warning that local user configuration files will be modified. In an agent context, instructions to edit local configuration are security-relevant because they can change trusted tool connectivity and persist beyond the session, increasing the risk of unintended or unauthorized system state changes.

Missing User Warnings

High
Confidence
95% confidence
Finding
The optional OAuth flow directs the user or agent to collect `client_id` and `client_secret` and then automatically write resulting credentials to `~/.dida-coach/dida-openapi.env`, but it does not warn that these are sensitive secrets, does not specify restrictive file permissions, and does not describe secure handling or redaction expectations. Storing API credentials locally in a predictable path without explicit safeguards can expose tokens to other local users, logs, backups, or later prompt leakage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt explicitly says that in OpenClaw, if the user clearly allows modifying local configuration, the agent should preferentially write the dida365 HTTP MCP configuration directly. This creates a real security-relevant behavior because it authorizes local configuration changes by default within a workflow, which can alter trusted tool wiring and introduce persistence or unintended capability changes if the user's consent is ambiguous or overly broad. In this skill context, the danger is elevated because MCP configuration affects external integrations and authentication flow, so automatic writes can have side effects beyond ordinary task management.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The prompt explicitly instructs the agent to directly execute single write operations by default, with only a brief statement before acting and no explicit confirmation from the user. In a task-management skill connected to TickTick/MCP, this can cause unintended data modification from ambiguous or misparsed user input, especially for destructive actions like completing, moving, or editing tasks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt explicitly directs the agent to create real TickTick tasks and reminders, and even says not to leave the plan as text once the user confirms. Without an explicit user-facing warning that this will modify the user's actual task list, users may not understand they are authorizing external side effects, increasing the risk of unintended task creation, reminder spam, or workflow disruption.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly says the OAuth helper will automatically write sensitive credentials and tokens to a local `.env` file, but it does not warn users about the security implications of storing long-lived secrets on disk. In a productivity agent context that handles task systems and local automation, this increases the chance that tokens are left readable by other local users, accidentally committed, backed up insecurely, or exposed through logs and support bundles.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists the OAuth client ID, client secret, and token data to an environment file, which creates a local secret-at-rest exposure if the file is readable by other users, accidentally committed, or included in backups. In a productivity skill that manages task data, compromise of these credentials could allow unauthorized API access and ongoing account misuse until the secrets are revoked or rotated.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger pattern "(我想|我要|计划|目标).*" is broad enough to activate on many ordinary planning statements, causing this skill to capture requests that may not actually be intended for task decomposition. In this skill, activation can lead to downstream task-management behavior via MCP-backed tooling, so misrouting is more dangerous than in a read-only advisory skill.

Vague Triggers

High
Confidence
97% confidence
Finding
This trigger includes ambiguous phrases like 查一下, 创建一个任务, 改提醒, and 改截止时间 without clear scoping or object constraints, making accidental activation likely during normal conversation. Because the skill is connected to a live Dida365 MCP for reading and mutating tasks, unintended routing could expose task data or perform unwanted updates.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The regex "(做|完成|准备|安排).*" is extremely generic and can match a large share of everyday requests unrelated to timeboxing. In a skill that may create planning artifacts or schedule-related actions, this broad capture increases the chance of inappropriate automation and user confusion.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The daily review trigger "(复盘|回顾|总结).*" overlaps with ordinary reflective language and may activate for generic discussion rather than a structured review workflow. In context, this is less severe than task mutation triggers, but it can still misroute conversations and potentially cause unnecessary data access to support a review.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The rescheduling trigger uses generic edit verbs like 改, 调整, 取消, which can match many unrelated user requests and redirect them into scheduling logic. Since rescheduling commonly implies modifying reminders or due dates, accidental activation can result in unintended calendar/task changes if tool execution proceeds.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function persists the OAuth client secret, access token, and refresh token to a plaintext local .env file with no permission hardening, encryption, or warning to the user. On multi-user systems, compromised accounts, backups, logs, or sync tools could expose long-lived credentials and enable unauthorized access to the user's Dida account.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal