ClawHub

Aight Utils

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Aight reminder and task helper, with disclosed persistence but some consent and timezone caveats.

Install this only if you want the agent to create and update Aight reminders or tasks. Ask it to confirm ambiguous requests, verify the interpreted date, time, and timezone before saving reminders, and avoid placing highly sensitive details in items because failed creations may be written to local fallback files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill metadata and description are broad enough to match common phrases about reminders, tasks, deadlines, or tracking, which increases the chance of unintended invocation. In this skill, unintended invocation is meaningful because it can create or update records in the user's Aight app and, on failure, may write fallback data to local files, causing unwanted state changes from ordinary conversation.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill does not clearly warn that it performs side-effecting operations in the user's Aight app and may write fallback data to local files if creation fails. That lack of transparency can lead to non-consensual record creation, silent status updates, or unexpected local persistence of potentially sensitive task and reminder content.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill hard-codes 'Current time' and timezone context as Asia/Shanghai for date parsing without confirming the user's actual locale or timezone. In a reminder and deadline skill, incorrect time normalization can cause reminders, deadlines, or status workflows to fire at the wrong time, leading to missed commitments or erroneous urgency handling.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal