ClawHub

GOG Dormant Game Cleanup

Security checks across malware telemetry and agentic risk

Overview

The skill appears useful for GOG library cleanup, but it may send an email and create Apple Reminders from broadly worded triggers without clear user confirmation.

Install only if you are comfortable giving the skill access to your GOG library workflow and letting it create reminders or send a summary after explicit approval. Before use, confirm the recipient, review the generated report, and ask the agent to scan only unless you approve email and reminder creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger set includes broad phrases like 'unplayed games' and 'clean up my library', which can plausibly match generic cleanup requests outside the intended GOG-specific scope. Because this skill performs side effects by emailing a report and creating reminders, accidental invocation could cause unintended disclosure of game/library data or unwanted actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow states that it will email a summary and add Apple Reminders entries, but the skill description does not prominently warn users that invoking the skill causes outbound communication and persistent task creation. In an agent setting, unclear disclosure of side effects increases the risk of surprising actions, privacy leakage, and user confusion, especially if the skill is triggered from an ambiguous request.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal