ClawHub

Local event finder

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly an event finder, but it also offers calendar access and a recurring weekly automation without enough up-front scoping, so users should review it before installing.

Install only if you are comfortable with an event-finder that can optionally use Google Calendar and set up a recurring weekly scan. Decline the calendar connector unless you want availability-aware recommendations or calendar event creation, and decline the weekly automation unless you understand when it will run and how to remove it later.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The setup flow expands the skill from event discovery into calendar-connector enablement and possible event insertion, which introduces new capabilities with account-access and side effects beyond the stated purpose. Even though it asks the user first, this is still risky because the file provides no clear scope limitation, privacy notice, or stronger consent boundaries for accessing calendars and modifying them.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The instructions direct the agent to create a recurring automation, which is a persistent side effect not implied by a simple event-suggestion skill. Persistent scheduled actions can continue operating after the initial interaction, potentially causing ongoing data access, notifications, or resource use that the user did not fully anticipate.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad trigger phrases like 'things to do,' 'what's on,' 'find,' and 'discover,' which overlap with many ordinary user requests and can cause the skill to activate when the user did not specifically intend event discovery. Over-broad activation increases the chance the agent enters a multi-step workflow unnecessarily, creates run artifacts, and processes user context more than needed.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup text describes enabling calendar access and creating automations without warning the user about privacy implications, ongoing external effects, or account changes. In a skill that appears focused on finding events, the lack of disclosure increases the chance that users consent without understanding that the agent may gain access to calendars or set up persistent tasks.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal