ClawHub

Pulse Skills

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Pulse/Aicoo integration, but it asks for broad authority to sync local content, manage sharing, monitor inboxes, and run recurring automation without enough built-in user control.

Install only if you are comfortable giving the agent access to your Aicoo/Pulse workspace and letting it send selected local files, notes, calendar/email-derived summaries, inbox metadata, and share-link settings to Aicoo. Before enabling hooks, loops, routines, or cron jobs, restrict folders, review files for secrets or private data, prefer folder-scoped links with expiration, avoid guest write/edit access unless needed, and keep logs/state files private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (46)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill performs broad network operations and provides shell command examples, but it does not declare permissions or constrain when those capabilities may be used. This creates a governance gap where an agent may invoke powerful data-sync, sharing, or remote tool actions without an explicit permission boundary or user-approval model.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes optional hooks, loops, and cron jobs that automatically sync knowledge, generate briefings, and monitor inboxes, but it does not clearly warn users that these features can cause ongoing background transmission of workspace data to Aicoo. In a skill specifically designed for context sync and agent sharing, this omission increases the risk of users enabling persistent exfiltration-like behavior without understanding the privacy and data-handling implications.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger description is extremely broad and includes catch-all language such as any mention of agent-to-agent communication via Pulse. That increases the chance of unintended activation, causing the skill to run on ambiguous prompts and potentially transmit, sync, or share user data when the user did not clearly intend to use Pulse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises syncing, sharing, inbox monitoring, and agent-to-agent communication without a prominent privacy warning about external data transmission and exposure scope. Users may not realize that notes, files, identity documents, network metadata, and messages can be sent to a third-party service or shared externally.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The empty matcher causes the UserPromptSubmit hook to run for every user prompt, regardless of whether the Pulse skill is actually relevant. In this skill's context, that means a local script is invoked on all prompts, expanding the monitoring surface and creating unnecessary opportunities for prompt-triggered side effects, data collection, or unintended activation of Pulse-related behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script prints inbox message content, contact identifiers, sender labels, request IDs, and request origin data to stdout, and its own example shows redirecting that output into a log file. In a cron context, stdout/stderr commonly ends up in world-readable temp files, centralized log systems, shell history snippets, or admin mail, which can expose private inbox contents and relationship metadata to unintended parties.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script collects local markdown file contents and recent git activity, then uploads them to a remote API without any interactive confirmation, dry-run mode, or prominent warning at execution time. In a cron/scheduled context this can silently exfiltrate sensitive internal notes, secrets embedded in docs, or commit metadata to an external service, especially if users do not realize the scope of data being synced.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes very generic terms such as "schedule," "loop," "trigger," and "autonomous," which can cause the skill to activate outside the user's intended context. Because this skill performs automated sync behavior to a remote service and can modify notes, unintended activation raises the risk of unreviewed data transmission or note changes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill presents automation setup without clearly warning that it may periodically send data to an external API and modify existing notes. Users may enable cron jobs, hooks, or loops without understanding the persistence and scope of data sharing, which undermines informed consent and increases the chance of accidental oversharing or destructive updates.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list is very broad and overlaps with common user requests such as searching notes, browsing workspace, or updating an agent. That increases the chance the skill is invoked in contexts the user did not clearly intend, which can lead to unintended data access or sync actions against an external service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill includes a destructive delete workflow but gives no instruction to confirm user intent, preview affected paths, or require a safety check before execution. In an agent setting, that creates a realistic risk of accidental or overly broad deletion of user knowledge synchronized to Pulse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example normalizes uploading a local directory's file contents to an external service without any explicit warning, confirmation of scope, or guidance to review sensitive files first. In a context-sync skill, this can lead users to transmit secrets, internal documentation, credentials, or other confidential material under the assumption that syncing project docs is routine and safe.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs sending aggregated user context such as notes, calendar, todos, and email-attention summaries to an external service, but provides no user-facing warning, consent flow, or data-handling disclosure. In this context, the omission is dangerous because a daily brief naturally concentrates sensitive personal and business information, increasing privacy and confidentiality risk if transmitted unexpectedly.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill includes PATCH and DELETE operations that can narrow, downgrade, or revoke share links, but it does not require an explicit confirmation step before taking those state-changing actions. In an agent setting, that omission is dangerous because a user asking for an audit could inadvertently trigger destructive changes to sharing configuration or loss of access.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs use of the PULSE_API_KEY to access network state and sharing data without any warning about secure handling of the credential or exposure risks. Because this key authorizes access to sensitive sharing metadata and note-search endpoints, normalizing its use without safeguards increases the chance of accidental leakage through logs, transcripts, shell history, or unsafe execution environments.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs use of a bearer API key to access conversations and network requests, which are private communications, but provides no consent, authorization, or privacy-handling guidance. In an agent setting, this can normalize silent access to sensitive inbox data and lead to unauthorized monitoring or overcollection if the skill is invoked in broad contexts.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The automation examples encourage continuous polling, stateful tracking of new items, and generation of summaries or recommended replies, but omit any privacy, retention, or access-control safeguards. This increases the risk of persistent surveillance of inbox contents and unnecessary exposure of sensitive message data through logs, summaries, cron output, or automated downstream actions.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list is broad enough to activate the onboarding skill for generic terms like 'init', 'register', or 'API key', which can cause the agent to enter a workflow that requests credentials, inspects local files, and prepares remote sync actions without clear user intent. In this skill's context, over-broad activation is more dangerous because the subsequent steps involve sensitive account setup and data-sharing operations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to create and export a live API key and immediately use it in authenticated requests, but does not warn about secret handling, shell history exposure, least-privilege scoping, or the trust implications of connecting the agent to a remote service. In context, this is risky because onboarding users are likely inexperienced and may follow the instructions verbatim without understanding credential and data exposure risks.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill tells the agent to scan local documents and then upload file contents to a remote endpoint, but provides no privacy review, consent checkpoint, or filtering guidance for secrets, proprietary material, or personal data. This is particularly dangerous in context because onboarding is framed as routine setup, which can normalize bulk collection and transmission of sensitive workspace content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documented example creates a share link with scope set to 'all' and read access, but does not explain what content becomes accessible or caution the user about over-sharing. In this context, the danger is elevated because the skill is onboarding-first, so users may create a broadly permissive link before they understand the boundaries of their synced notes and identity files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The example instructs the agent to scan local files and upload project documents to a remote service without any warning, consent checkpoint, or guidance on limiting scope. In an onboarding flow for startup founders, local files are likely to contain sensitive business, technical, legal, or personal data, so normalizing bulk exfiltration to a third party is dangerous.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The example creates an investor-facing share link and says to share it externally with no account required, but it does not warn about the risk of exposing confidential startup information. This can lead users to publish internal notes or folder contents beyond intended recipients, especially if link forwarding or overbroad folder selection occurs.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger list is broad enough to fire on generic phrases like 'share link' or 'write access', which can cause the skill to activate in situations where the user did not clearly intend to create or modify external sharing. In a skill that can expose an agent and enable guest interaction, accidental invocation materially increases the chance of unintended data sharing or permission changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill walks the operator through creating public or guest-accessible links without an upfront warning that this may expose synced notes, calendar data, or agent behavior to third parties. Because the feature includes write and edit permissions for guests, omission of a clear privacy and access warning makes unsafe sharing much more likely in normal use.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal