ClawHub

ADHD Assistant

Security checks across malware telemetry and agentic risk

Overview

This ADHD productivity assistant is not malicious, but it asks the agent to handle and potentially remember sensitive mental-health and treatment details without enough consent and privacy controls.

Review before installing. Use it only if you are comfortable with ADHD-specific framing and avoid storing medication, therapy, diagnosis, or emotional-sensitivity details unless you have a clear way to opt in, inspect, edit, and delete that memory. The evidence does not show malware or data exfiltration.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The activation guidance is broad enough that this skill could trigger on many ordinary productivity or emotional-support requests, causing it to engage outside clearly bounded ADHD-related contexts. Because the skill also handles sensitive mental-health-adjacent topics and memory collection, over-activation increases the chance of inappropriate response framing and unnecessary collection of sensitive personal information.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The listed trigger phrases are common everyday statements that many users make without intending to invoke a specialized mental-health-adjacent skill. In this context, that can lead to the assistant inferring ADHD-related framing or offering emotionally loaded guidance where a generic planning response would be safer and more appropriate.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill explicitly proposes storing highly sensitive information such as ADHD status, treatments, emotional sensitivities, energy patterns, and behavioral pitfalls in memory, but does not require informed consent or provide any privacy warning. If retained or surfaced improperly, this data could expose mental-health-related information and create significant privacy and safety risks disproportionate to a productivity assistant's core function.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal