ClawHub

yoooclaw-work-report

Security checks across malware telemetry and agentic risk

Overview

This skill does what it says: it reads local work notifications to draft daily or weekly reports, which is privacy-sensitive but disclosed and purpose-aligned.

Install only if you are comfortable with the agent reading selected local notification logs. Set narrow apps, groups, and date ranges where possible, and review the final report for names, project details, deadlines, approvals, or confidential information before sending it to a manager or workspace.

Publisher note

Auto-generate a daily or weekly work report from your work app notifications — progress, meetings, approvals, and follow-ups in one place.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

High
Confidence
94% confidence
Finding
The skill is designed to ingest and summarize sensitive work notifications, including messages, approvals, emails, and project updates, but it does not present a clear user-facing privacy warning or consent boundary in the skill content. This creates a meaningful risk of users exposing confidential business information, personal data, or internal communications without understanding the sensitivity of the processing.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to preserve original project names, document names, person names, and deadlines from notifications in the generated report. Because the source data comes from potentially sensitive work communications, reproducing these identifiers increases the chance of leaking confidential business details or personal data into a shareable summary that may be sent to leaders or pasted into other systems.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal