ClawHub

Baby Words Tracker

Security checks across malware telemetry and agentic risk

Overview

This is a coherent baby vocabulary tracker, but users should know it stores child language records locally and may sync them to Feishu cloud documents.

Install only if you are comfortable keeping a child's vocabulary history, name or birth-date metadata, and progress records over time. If enabling Feishu sync, use a dedicated document with limited sharing permissions, confirm what account receives the data, and delete or restrict the local JSON database when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The README states the skill will automatically trigger on broad natural-language phrases like "记宝宝说/说了", which can easily appear in ordinary conversation or quoted text. In a child-language tracking skill, accidental activation can cause unintended collection and storage of sensitive family data, and because the skill also persists data and may sync it externally, the risk is amplified beyond a harmless UX issue.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README advertises automatic synchronization to Feishu cloud documents but does not clearly warn users that recorded content may be transmitted to a third-party service. Because the tracked data concerns a baby's speech and family activity, silent or poorly disclosed cloud export creates a privacy and data-handling risk, especially if users assume the skill is purely local.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill is designed to automatically transmit a child's speech-development data to Feishu, but the description does not warn users that potentially sensitive child data will be shared to a cloud service. This creates a privacy risk because caregivers may provide identifiable developmental information without informed consent or understanding of third-party storage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow explicitly writes child-language records to a local JSON database and then syncs them to Feishu, yet the documentation provides no warning about persistent local storage or external cloud transmission. In the context of a baby-tracking skill, this is more sensitive because it involves a minor's developmental data, which can be personal and long-lived.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal