ClawHub

工作辅助01

Security checks across malware telemetry and agentic risk

Overview

This is a coherent task-management skill, but it grants ongoing scheduled access and broad import/export/sync abilities over potentially sensitive work data.

Install only if you are comfortable storing work tasks and OKRs in a local SQLite database, writing reports under ~/.hermes, and enabling recurring jobs. Treat Feishu document/app tokens as secrets, avoid putting real tokens in command history or screenshots, and make backups before using database import, hard delete, or cleanup commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises significant capabilities—local file read/write via SQLite and report export, shell execution through the CLI entrypoint, and network access for Feishu/OKR sync—without any declared permissions or user-facing approval boundary. This creates a transparency and consent gap: the agent may process, export, or transmit work data in ways the user did not explicitly authorize.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The documented purpose is a personal task assistant, but the described behavior extends into full database export/import, destructive maintenance, cron registration, and generation of structured context for upstream LLM use. That mismatch is dangerous because users may invoke the skill expecting simple task management while unknowingly enabling data exfiltration, destructive state changes, or broader automation affecting their environment.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The raw `db export` and especially `db import` operations allow wholesale extraction and replacement of the assistant's underlying data store from the same user-facing CLI. In an agent or shared-runtime context, that can enable bulk data exfiltration, destructive overwrite, or ingestion of attacker-controlled state well beyond normal task-management actions.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The auto-load conditions include common intents like tasks, reminders, progress, reports, and OKR-related requests, which are broad enough to trigger in ordinary conversation. Unintended activation matters here because the skill can modify a local database, schedule reminders, and potentially sync or generate reports from sensitive work data.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The listed trigger keywords are very generic everyday terms, increasing the chance that unrelated chats activate the skill. In this context, accidental activation is more dangerous than a read-only helper because the skill supports writes, reminders, reporting, and external OKR synchronization.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The documentation describes scheduled reminders and OKR sync as convenience features but does not clearly warn that they automatically process and may push user work data on a schedule. Users may therefore expose task details, OKR progress, and work summaries without understanding the ongoing automated handling of their data.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The skill exposes destructive operations such as hard deletion, database import/replace, and cleanup, but the description does not prominently warn users about data loss risks. In a task-management context, this can lead to irreversible loss or corruption of personal work records if commands are triggered accidentally or misunderstood.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The OKR sync example requires a document token, but the reference does not identify it as sensitive or warn against exposing it in shell history, logs, screenshots, or shared scripts. Tokens used directly on the command line are commonly leaked through process lists and terminal history, which can enable unauthorized access to external documents or APIs.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The example shows automatic generation of a report file under a user home directory without any warning, confirmation, or explanation that data will be written to disk. In a personal-assistant skill that handles work tasks, reports, and OKR data, silent local persistence can surprise users and may expose sensitive work information to other local users, backups, or synced folders.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example normalizes synchronization with an external document source without any privacy, authorization, or data-sharing warning. Because this skill processes work planning and OKR information, syncing to or from external services can expose internal business data, metadata, or identifiers if users are not clearly informed and consent is not obtained.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The module aggregates detailed task, deadline, OKR, progress, and workload data into a plaintext prompt for an upstream LLM, but this file shows no minimization, consent, redaction, or destination controls. In a personal-assistant skill, that context can contain sensitive workplace information, so sending it upstream increases privacy and confidentiality risk if the model provider, logs, or downstream systems are not fully trusted.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script creates unattended scheduled jobs that automatically read local task data and external Feishu content, but provides no consent flow, visibility, or warning that ongoing background access will continue after registration. In a personal-assistant context, this increases privacy risk because task lists, deadlines, and OKR data are likely sensitive work information and will be accessed on a recurring basis without a fresh user action.

Ssd 3

Medium
Confidence
97% confidence
Finding
The example output displays a document token directly in a routine status response, which teaches or normalizes secret disclosure in logs, screenshots, chat history, and terminal scrollback. If a real access token is exposed this way, an attacker or unintended recipient could reuse it to access external documents or linked organizational data.

Ssd 3

Medium
Confidence
89% confidence
Finding
The `advice` command prints `advisor.get_context_for_llm()` directly, which appears intended to dump aggregated personal task and OKR context in plain text. If invoked in an agent environment, logs, transcripts, or downstream model/tool calls may receive more personal or business-planning data than necessary, increasing privacy and data-leak risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal