ClawHub

Proactive Agent (wyblhl fork)

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local memory skill, but it needs Review because it can automatically store and resurface broad conversation details in plaintext workspace files without strong user controls.

Install only if you intentionally want a local persistent-memory system. Avoid using it with secrets, credentials, regulated personal data, or shared workspaces unless you add clear opt-in, redaction, retention, and deletion controls; review USER.md, SOUL.md, SESSION-STATE.md, MEMORY.md, memory/working-buffer.md, and recovery output regularly.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill clearly instructs file reads/writes across the workspace and references web search/network-style capabilities, yet no explicit permission model or user-consent boundary is declared. This mismatch is dangerous because it encourages deployment with broader effective access than the metadata communicates, increasing the chance of silent data persistence or external access without informed review.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The heartbeat state includes email/calendar monitoring fields and the checklist suggests periodic checks for proactive actions without any clear authorization model, scope limitation, or consent flow. In an agent skill focused on proactive behavior and memory, undocumented monitoring capabilities can expand data access beyond user expectations and create unnecessary surveillance risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code advertises buffer initialization/reset semantics, but the related clear behavior elsewhere only appends a marker instead of actually deleting prior contents. In a memory/logging component, this mismatch can cause operators or downstream agents to believe sensitive history was removed when it remains fully recoverable on disk, increasing privacy and retention risk.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The WAL trigger conditions are extremely broad, covering common conversational elements like names, preferences, corrections, and numbers. In practice this can cause the skill to activate and persist user data during ordinary chat, creating over-collection and unintended file writes far beyond narrowly scoped task state.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The compaction recovery auto-triggers include vague phrases such as 'continue' or situations where the agent 'should know something but don't,' which are hard to distinguish from normal conversation. This can invoke recovery behavior unnecessarily, causing broad file reads and extraction of stored context when the user did not intend memory recovery.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The quick-start flow directs automatic population of USER.md and SOUL.md from user answers without a clear upfront privacy warning or consent model. This is dangerous because it persists personal identity, preferences, and behavioral context into durable workspace files that may later be searched, reused, or exposed.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The onboarding flow states that the agent will automatically populate persistent files (USER.md and SOUL.md) from the user's answers, but it does not clearly warn the user at the point of collection that their responses will be written to disk. This can lead users to disclose sensitive personal or project information under the assumption that they are only chatting, creating an informed-consent and privacy risk in a skill explicitly designed to gather ongoing personal context.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The working buffer directs the system to log every exchange once a threshold is reached, but there is no user-facing disclosure, consent mechanism, or retention boundary. Because this skill is explicitly designed for persistent agent memory, silent transcript capture increases privacy risk and may store sensitive user content unexpectedly.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The WAL protocol captures preferences, decisions, proper nouns, and specific values before responding and persists them to SESSION-STATE.md without informing the user. This creates a clear privacy issue because personally identifying or sensitive contextual details may be stored long-term as part of normal interaction.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The checklist explicitly tells the agent to scan memory for repeated patterns and review prior decisions, which encourages ongoing monitoring and retention of user interaction history without any privacy boundary, consent check, or data minimization guidance. In a proactive-agent skill, this is more dangerous because it operationalizes routine surveillance-like behavior as part of normal execution, increasing the chance of over-collection and use of sensitive historical context.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The 'Proactive Opportunities' section encourages the agent to identify things it could build or create without being asked, normalizing action before explicit authorization. In the context of a skill designed to make agents more proactive, this can lead to unauthorized changes, unwanted outputs, or actions based on incorrect assumptions about user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The recovery flow reads working buffer, session state, daily notes, and memory content, then writes the aggregated recovery data back to disk in compaction-state.json without any consent gate, minimization, or redaction. This increases exposure of potentially sensitive user and session data by duplicating it into another file and making broad resurfacing of prior context easy after truncation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The CLI exposes raw working buffer, session state, and full recovery JSON directly to stdout, which can leak sensitive contents into terminal scrollback, logs, shell history capture, or calling-process logs. Because there is no warning, masking, or scoped output, an operator may unintentionally disclose prior private context.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The unified_search function reads SESSION-STATE.md, MEMORY.md, and daily notes and reports whether the user-supplied query matches those files, but there is no authorization check, consent flow, redaction, or user-facing disclosure that sensitive memory stores are being searched. In an agent skill centered on persistent memory and proactive behavior, this increases the chance of exposing confidential prior context, secrets, or private notes to a caller who may not realize these sources are consulted.

Missing User Warnings

High
Confidence
98% confidence
Finding
The script persists raw user message content plus extracted identifiers such as emails, URLs, dates, numbers, and names into a session-state file without notice, consent, or any minimization. This creates a privacy and data-handling risk because sensitive or regulated information may be stored locally in cleartext and retained longer than the user expects.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Human messages and agent summaries are written verbatim to a persistent file without any notice, consent flow, redaction, or retention controls. Because this skill is explicitly designed for proactive agents and memory persistence, it is more dangerous than ordinary transient logging: users may unknowingly store secrets, personal data, credentials, or internal prompts on disk.

Ssd 3

Medium
Confidence
92% confidence
Finding
The WAL protocol mandates writing a wide range of user-provided details to SESSION-STATE.md before responding, including names, preferences, decisions, URLs, and specific values. This creates a systematic pipeline for persistent retention of potentially sensitive data, even when that storage is unnecessary for the task.

Ssd 3

High
Confidence
97% confidence
Finding
The working buffer requires logging every human exchange after a context threshold, along with agent summaries, into a persistent file. This is especially risky because it captures entire conversations in bulk during a 'danger zone' without any sensitivity filtering, dramatically increasing the likelihood of storing secrets, personal data, or confidential task content.

Ssd 3

Medium
Confidence
90% confidence
Finding
Auto-populating long-term USER.md and SOUL.md from onboarding answers creates persistent identity and preference profiles from conversational input. This can accumulate sensitive personal context over time, making later leakage, misuse, or over-reliance on stale private data more likely.

Ssd 3

Medium
Confidence
91% confidence
Finding
Persisting broad categories of user-provided content to memory creates a real data retention and later disclosure risk, especially when proper nouns, preferences, and decisions are automatically extracted. In a proactive memory-oriented skill, this is more dangerous because the architecture is explicitly designed to retain and reuse conversational data across sessions.

Ssd 3

High
Confidence
97% confidence
Finding
Requiring logging of every exchange and providing a function to read the entire buffer enables broad accumulation and replay of prior user conversations. This substantially increases the chance of sensitive information being exposed to later prompts, summaries, recovery flows, or other users in a shared environment.

Ssd 3

Medium
Confidence
92% confidence
Finding
The recovery workflow aggregates multiple memory sources and presents a recovery summary, which can inadvertently resurface sensitive historical data that the user did not intend to re-expose. Because the skill is built to recover context after truncation, it increases the likelihood of over-broad recall and disclosure across sessions.

Ssd 3

Medium
Confidence
90% confidence
Finding
The recovery design intentionally reconstructs and re-presents prior human/session content in plain language to resume work after context loss. In a proactive-memory skill, that behavior is more dangerous because the feature normalizes broad recall of historical content and can surface data beyond what is necessary for the current task.

Ssd 3

High
Confidence
97% confidence
Finding
The module is explicitly designed to persist user-provided content and extracted identifiers into session memory before responding, normalizing collection of potentially sensitive data as part of routine operation. In an agent skill context, this is more dangerous because it encourages default surveillance-like logging of conversational content without contextual sensitivity checks or user approval.

Ssd 3

High
Confidence
99% confidence
Finding
The implementation writes portions of human messages and extracted emails, URLs, dates, numbers, and names into a persistent markdown log, which can expose personal, confidential, or operationally sensitive data to anyone with filesystem access. Because the data is stored in cleartext and appended indefinitely, compromise of the host, backups, or shared workspace can lead to privacy breaches and unintended secondary use of the data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal