Back to skill

Security audit

yoooclaw-family-digest-en

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent family-notification summary purpose, but it reads sensitive notification contents and can be invoked by overly broad phrases that may not clearly express consent to analyze private family messages.

Review before installing. This skill is intended to read local notification files and summarize family-related messages, including potentially sensitive communications from spouses, parents, teachers, and schools. Install it only if you are comfortable with that data being analyzed in-session, and prefer invoking it with explicit family-summary requests rather than generic prompts like 'important information' or 'today’s notice.'

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger list is extremely broad and overlaps with ordinary conversational queries such as 'important information' and 'today’s notice,' which can cause the skill to activate in contexts far beyond a narrowly scoped family-digest request. Because the skill is designed to load and summarize sensitive notification data, overbroad invocation increases the chance of unintended access to private family messages and disclosure of sensitive content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill processes highly sensitive personal data from mobile notifications, including family communications, school notices, and inferred relationships, yet it does not present an explicit privacy warning or consent boundary before analysis. This creates a meaningful risk that users will not understand the sensitivity of the data being accessed or the extent of inference being performed on spouses, children, and elders.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.