Back to skill

Security audit

yoooclaw-family-digest

Security checks across malware telemetry and agentic risk

Overview

This skill transparently reads recent local notification files to summarize family-related messages, with no hidden code or persistence, but users should invoke it only when they intend that private notification data to be processed.

Install only if you are comfortable with the agent reading local phone notification JSON files for the requested dates. Prefer specific requests such as a person, family topic, or date range, and avoid broad prompts if you do not want unrelated private notifications processed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (1)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill advertises very broad natural-language trigger phrases such as '今天的通知' and '重要信息', which are likely to match common everyday requests unrelated to this specific family-digest function. In a notification-reading skill, overbroad invocation increases the chance of unintended activation and exposure of sensitive family communications when the user did not explicitly intend to access them through this skill.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.