ClawHub

yoooclaw-hotspot-topic-scout

Security checks across malware telemetry and agentic risk

Overview

This skill is purpose-aligned but needs review because it reads broad phone notifications and private group/team/fan communications with weak source controls.

Install only if you are comfortable letting it inspect selected notifications and communication sources for content ideation. Use narrow app, group, and time limits; avoid personal chats, confidential team channels, client messages, and authentication-code notifications; ask for private signals to be aggregated or redacted before they are searched or included in output.

Publisher note

Scan your group chats, app notifications, and the web to surface trending topics and content ideas tailored to your niche.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly collects phone notifications, group chats, team discussions, and fan feedback, but it does not require any explicit user-facing privacy warning, consent checkpoint, or minimization language before accessing that data. Because notifications and chat previews often contain sensitive personal or business information, silent collection for content ideation creates a real privacy exposure risk even if the feature is intended to help the user.

Ssd 3

High
Confidence
97% confidence
Finding
The skill directs the agent to read and summarize private notification content from group chats, team discussions, and fan feedback, which can include confidential, personal, or commercially sensitive information. Summarizing that content into the output risks disclosing private communications beyond their original context, especially when internal discussions and fan messages are turned into sharable topic recommendations.

Ssd 3

High
Confidence
98% confidence
Finding
The workflow operationalizes the privacy issue by instructing the agent to query notifications, extract team topic discussions, group-shared events, and repeated fan questions, then merge them into a final report. This makes the exposure more dangerous because it is not incidental; it is a designed data-processing flow that systematically transforms private communications into summarized outputs that may reveal sensitive internal strategy, user concerns, or private group content.

Ssd 3

High
Confidence
96% confidence
Finding
The output format explicitly requires citing notification-derived sources and surfacing material from comments, direct messages, groups, and team relays, which increases the likelihood that private communications will be exposed or inferable in the final response. Even when not quoting verbatim, source attribution plus summarized content can deanonymize participants, leak internal discussions, or reveal sensitive audience and business signals.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal