ClawHub
Back to skill

Security audit

adhd-assistant

Security checks across malware telemetry and agentic risk

Overview

This instruction-only ADHD productivity assistant is coherent, but it asks to remember sensitive ADHD and treatment details without clear consent or privacy controls.

Review this before installing if you do not want ADHD, treatment, routine, or emotional-sensitivity details stored in persistent memory. Use it only with clear memory settings, avoid saving diagnosis or medication details unless you intentionally opt in, and treat it as productivity support rather than medical or therapy guidance.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
87% confidence
Finding
The activation conditions and trigger phrases are broad enough to match many ordinary stress, productivity, or emotional-support requests, which could cause the skill to activate for users who did not explicitly seek ADHD-oriented guidance. In this context, over-triggering is risky because the skill handles sensitive mental-health-adjacent topics and may steer conversations toward storing personal data or providing quasi-therapeutic framing without clear consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly proposes remembering sensitive mental-health-related information such as diagnosed or suspected ADHD, treatments, emotional sensitivities, and behavioral pitfalls, but it does not require explicit informed consent or provide a clear privacy warning about persistence. This creates a real privacy and safety risk because sensitive health-adjacent data could be retained unexpectedly, exposed to future contexts, or used in ways the user did not anticipate.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.