ClawHub

经期管理 / Period Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local period-tracking skill, but it stores sensitive health data locally and can set reminders or update itself when asked.

Install only on a trusted device. Expect menstrual and symptom history to be stored in a local JSON file, treat exports as sensitive, and enable reminders only if you are comfortable with tagged cron jobs being added to your account. Confirm updates, deletes, exports, and reminder changes explicitly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return
    
    print("⬇️  正在更新...")
    result = subprocess.run(
        ["clawhub", "update", "period-tracker", "--force"],
        capture_output=True, text=True
    )
Confidence
91% confidence
Finding
result = subprocess.run( ["clawhub", "update", "period-tracker", "--force"], capture_output=True, text=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
lines.append(cron_line)
    new_crontab = "\n".join(lines) + "\n"

    proc = subprocess.run(["crontab", "-"], input=new_crontab, text=True, capture_output=True)
    if proc.returncode == 0:
        print(f"✅ 已设置经期提醒")
        print(f"   下次预测经期:{next_date}")
Confidence
93% confidence
Finding
proc = subprocess.run(["crontab", "-"], input=new_crontab, text=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
lines.append(cron_line)
    new_crontab = "\n".join(lines) + "\n"

    proc = subprocess.run(["crontab", "-"], input=new_crontab, text=True, capture_output=True)
    if proc.returncode == 0:
        print(f"✅ 已设置每日经期报告")
        print(f"   报告时间:每天 {hour:02d}:{minute:02d}")
Confidence
93% confidence
Finding
proc = subprocess.run(["crontab", "-"], input=new_crontab, text=True, capture_output=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
lines = [l for l in result.stdout.splitlines() if CRON_TAG not in l]
    
    new_crontab = "\n".join(lines) + "\n"
    subprocess.run(["crontab", "-"], input=new_crontab, text=True)
    
    if reminder_type:
        print(f"✅ 已清除 {reminder_type} 提醒")
Confidence
87% confidence
Finding
subprocess.run(["crontab", "-"], input=new_crontab, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill exposes file read/write and shell-style operational behavior without any declared permissions, which prevents meaningful user review and weakens consent boundaries. In this context, the skill handles sensitive reproductive-health data and also advertises reminder/update behavior, so undeclared capabilities could modify local files, execute commands, or alter persistence mechanisms unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented purpose is period tracking, but the skill also appears to check for updates, force self-update, and modify system crontab entries. That behavior materially exceeds the stated user expectation and can create persistence, silent code changes, or system-level side effects, which is especially risky in a health-oriented skill that users may trust with sensitive personal data.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file includes self-update logic unrelated to the core health-tracking purpose, allowing the skill to reach outside its expected function and interact with package-management tooling. This increases the attack surface and creates a supply-chain risk channel in a context handling sensitive reproductive-health data, where users likely do not expect code-modifying behavior.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Invoking clawhub from a period-tracking skill is outside the stated business purpose and introduces unnecessary dependency on an external package-management executable. In a sensitive-health context, adding nonessential external command execution raises the chance of PATH abuse, environment manipulation, or misleading package metadata affecting user trust and system behavior.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code path performs an actual package update through clawhub, enabling runtime modification of installed software from within the skill. That is a strong supply-chain and privilege-boundary concern, especially because the skill's stated purpose is menstrual tracking rather than software management, so users are less likely to anticipate or scrutinize such behavior.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The natural-language setup branch unexpectedly calls `remove_reminders(args.type)` after claiming success, so a user asking to create reminders can instead trigger deletion or a crash. This is dangerous because it causes destructive system state changes contrary to user intent, and in this skill context it undermines trust around health-related reminders that users may rely on.

Vague Triggers

Medium
Confidence
88% confidence
Finding
Broad trigger phrases like ordinary discussion of menstruation, ovulation, fertility, or pregnancy planning can cause accidental invocation during normal conversation. In a health-data skill, unintended activation can record sensitive information, reveal private status, or trigger exports/reminders when the user did not intend to use the tool.

Vague Triggers

Medium
Confidence
85% confidence
Finding
Promising unrestricted natural-language use without clear invocation boundaries increases the chance that routine conversation will be interpreted as commands. Because the skill records intimate health data and can perform side-effecting operations such as reminders, ambiguous command parsing raises privacy and integrity risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The schema documents storage of highly sensitive menstrual and reproductive health data in a predictable plaintext path under the user's home directory, with no mention of encryption, access controls, retention limits, or privacy warnings. In the context of a period tracker, this increases the risk of local disclosure to other users, malware, backups, logs, or support tooling, exposing intimate health data and fertility-related information.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script modifies the user's crontab immediately, without any confirmation, preview, or warning that it is installing a persistent scheduled task on the host. In an assistant skill, this is more dangerous than in a typical sysadmin tool because users may think they are only configuring app-level reminders, not changing OS-level scheduler state.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script removes cron entries without confirmation or warning, creating a risk of silent loss of expected reminders and unexpected modification of system scheduler configuration. Because this is a health reminder tool, accidental removal can have meaningful user impact even if it is not a classic code-execution flaw.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal