ClawHub

Autonomous Sync

Security checks across malware telemetry and agentic risk

Overview

This skill is for legitimate Aicoo auto-syncing, but it encourages persistent external updates of potentially sensitive project or conversation data without enough scoping or review controls.

Install only if you intentionally want Aicoo background sync. Before enabling cron, /loop, hooks, or file watchers, decide exactly what content may be sent, exclude secrets and confidential files, and prefer a manual review step before any external write.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

High
Confidence
94% confidence
Finding
The trigger list is unusually broad and includes generic terms like 'schedule', 'trigger', 'loop', and 'autonomous', which can cause the skill to activate in contexts where the user did not intend remote synchronization behavior. In a skill that can configure hooks, cron jobs, and API-backed updates to persistent remote data, unintended invocation increases the chance of silent or surprising data modification.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill provides instructions for cron jobs, hooks, loops, and API patch/create operations that can continuously modify remote Aicoo data, but it does not prominently warn about persistence, scope, frequency, or the fact that changes may continue after the immediate session. That omission is risky because users may enable background automation without understanding that future local edits or conversations could be propagated externally.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal