ClawHub

Proaktiv

Security checks across malware telemetry and agentic risk

Overview

This Telegram companion has a coherent purpose, but it makes broad persistent OpenClaw changes and silently stores personal/social context in ways users should review carefully.

Review before installing. Back up SOUL.md, decide whether you accept global tools.profile changes, verify the Telegram chat ID destination, inspect or remove the cron job if you do not want recurring pings, and disable or edit the social-memory behavior if you do not want personal facts about you or others stored silently.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (40)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The README makes a misleading assurance that the skill does not remind users of things they did not ask for, while earlier sections explicitly describe proactive outreach, weekly memory-refresh prompts, and unsolicited nudges. This kind of contradiction can undermine informed consent by causing users to install a background agent without clearly understanding that it will initiate contact on its own.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill gives contradictory state-management instructions: it says interest_graph.json must never be written directly, yet the removal workflow explicitly tells the agent to delete interests from that file. Inconsistent mutation rules for persistent state are dangerous because they can corrupt data, desynchronize authoritative sources, or bypass intended validation logic in interest_evolve.py.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This function mixes feedback processing with onboarding/profile mutation based on control tags embedded in a message. That creates an overly broad trust boundary: any component that can supply or relay a message to this script can also modify quiet hours, no-go topics, goals, commitments, session state, and context, which is more dangerous than a simple feedback updater. In this skill context, the risk is elevated because the file handles user-derived conversational input, so hidden or injected tags could silently alter user preferences and behavior routing.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The installer explicitly claims that no global files are modified, but later appends directives to /data/.openclaw/SOUL.md, a global routing/control file. This is dangerous because it misrepresents the installer's behavior and silently changes system-wide agent behavior beyond the scope of a local skill install.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The installer sets the global tools.profile to coding, enabling exec-capable behavior across the environment rather than only for this skill. That broad privilege expansion increases attack surface for unrelated sessions and skills, especially in an agent framework where tool access materially changes what the agent can do.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The installer injects broad routing and behavior rules into a global agent control file, including trigger handling, disclosure restrictions, and search obligations unrelated to merely copying skill assets. This crosses from installation into persistent system-wide behavior manipulation, which can affect other workflows and obscure the source of future actions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The file loads a local .env and later uses environment/session secrets to discover Telegram and OpenClaw session identifiers. In a companion skill, silently harvesting local credentials and session metadata expands privilege beyond the apparent feature set and creates a path for unauthorized messaging or account linkage if the skill or host is tampered with.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This skill does more than passive companion logic: it queries OpenClaw history and later injects messages into Telegram sessions through privileged CLI operations. In context, that means the skill can read private message history and cause external communications, which materially raises the risk of surveillance, spam, impersonation, or misuse if the skill is misconfigured or compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The function harvests recent user chat content and uses it to construct system triggers, which exceeds a minimal proactive companion role and creates hidden context collection. This is dangerous because user messages may contain sensitive information that is silently repurposed for later prompting and outbound generation without clear boundary or minimization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README describes storing names, quiet hours, no-go topics, people in the user's life, and later mentions automatically collected social facts, but does not provide a clear privacy warning, retention policy, or explanation of the sensitivity of this data. For a companion-style skill that continuously builds user profiles, lack of transparent disclosure increases the risk of unintended surveillance, overcollection, and unsafe handling of sensitive personal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installation instructions say the installer sets up a recurring cron job and fires a startup trigger for Telegram onboarding, but the README does not present these as a prominent warning requiring explicit acknowledgement. Automatically enabling scheduled background execution and outbound messaging can surprise users and creates risk if installed in shared, production, or security-sensitive environments.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The phrase 'oder ähnliches' makes the add-interest trigger open-ended, so normal conversation could be misclassified as a command to persist new interests. Because the action writes to persistent user data and triggers a follow-on script, ambiguous intent parsing can lead to unauthorized profile changes and unexpected system-side effects.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The removal trigger examples are broad enough to match ordinary speech, especially phrases like 'X interessiert mich nicht mehr' that may be conversational rather than an explicit command. Since removal deletes persistent profile data, ambiguous matching can cause unintended loss of user preferences and inconsistent downstream behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs the agent to modify persistent user data files immediately when an add-interest phrase is detected, but it does not require any warning or consent checkpoint about storing data. In a proactive companion context, this is more dangerous because natural-language interactions are frequent and users may not realize a casual statement will be persisted and used to drive future automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs deletion from persistent data stores without warning that the change is durable and may affect future recommendations or automation. In a companion/profile-management skill, silent deletion is risky because a misinterpreted utterance can permanently alter personalization state without the user understanding the consequence.

Missing User Warnings

High
Confidence
98% confidence
Finding
The file explicitly instructs the agent to silently write newly inferred personal facts about named individuals into a persistent JSON store without notifying the user or obtaining consent. This creates undisclosed collection and retention of sensitive interpersonal and preference data, which can be reused later in ways the user may not expect and may violate privacy expectations or policy requirements.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill is activated for processing calendar events and emails, then uses those sources to extract social signals about people by name. Calendar and email content are privacy-sensitive, and the instructions lack notice, consent, minimization, or boundaries on what can be inferred and retained, increasing the risk of covert profiling from sensitive communications.

Vague Triggers

High
Confidence
93% confidence
Finding
The GENERIC_TOPIC trigger is defined to activate automatically for any topic without a specific template, which is broad enough to capture ordinary conversation and route it into an unsolicited proactive workflow. In this skill, that broad scope is especially risky because it also forces web search and profile-based personalization, increasing the chance of unwanted data use, confusing behavior, and prompt-routing abuse.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to 'silently update' proaktiv_state directs the agent to persist behavioral data without informing the user. Hidden state mutation creates privacy and consent issues, and can accumulate sensitive preference/history data that materially affects later interactions without user awareness.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
This workflow explicitly records goal outcomes and user mood in proaktiv_state.json without warning the user, which means potentially sensitive emotional and behavioral data is being stored covertly. In a coaching/check-in context, that data can be especially personal, making undisclosed persistence more privacy-sensitive than ordinary session state.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill directs the agent to send potentially user-derived interest data to an external search service and to persist classification results into local state, but the skill text does not provide an explicit user-facing warning, consent gate, or data-minimization rule. This creates a privacy and integrity risk because unvetted personal preference data may be disclosed externally and state can be modified based on ambiguous search results or chat commands.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger list uses very broad phrases such as "SUNO" and "AI MUSIC," which can activate the skill in contexts where the user did not clearly request this specific capability. That increases the chance of unintended invocation, tool use, and instruction hijacking from unrelated conversations, especially because the skill directs external research steps.

Natural-Language Policy Violations

Medium
Confidence
84% confidence
Finding
The skill hardcodes German output ("SPRACHE: Deutsch, du-Form") regardless of the user's language or preference. This can override user intent, reduce transparency, and cause confusing or misleading output in multilingual contexts, though it is primarily a policy and usability risk rather than a severe security issue.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger list uses very broad keywords like "WEC" and "ENDURANCE" with no activation constraints, so the skill can be invoked in unrelated contexts where those terms appear incidentally. This increases the risk of unintended routing, response hijacking, or suppression of a more appropriate skill, especially in conversations about endurance sports, cars, or general racing topics.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill hard-codes German output ("SPRACHE: Deutsch, du-Form") without checking the user's language preference. This can override user expectations, degrade usability, and in multi-skill environments may cause policy or routing conflicts when a different language was requested or implied.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal