ClawHub

Eisenhower Task Manager

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed task manager, but its optional dashboard includes an unauthenticated browser terminal that can run the user's real shell.

Install only if you specifically want a local web dashboard with shell access. Run it on a trusted machine, keep it bound to localhost or otherwise network-isolated, avoid daemon mode unless needed, do not expose the port to other devices, and review task changes before accepting deletes, archives, or renumbering.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (22)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
An integrated web terminal is far outside the legitimate scope of a task manager and effectively creates a generic remote shell surface behind the dashboard. If launched, it could permit arbitrary command execution, access to local files and secrets, and lateral actions unrelated to task tracking.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documentation instructs users to launch a persistent Node.js web server and browser dashboard, expanding the operational scope well beyond basic task editing. This increases attack surface through network exposure, long-running processes, PID/log management, and potential dependency/runtime issues that are not necessary for the advertised function.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
This package manifest includes terminal-emulation, WebSocket, and pseudo-terminal dependencies that are atypical for a task-management dashboard and materially expand the attack surface toward interactive shell capability. In the context of an agent skill, these dependencies suggest the dashboard may expose command-execution or terminal proxy features, which would be dangerous if reachable by a user or another component.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The combination of node-pty, xterm, express-ws, and ws indicates support for browser-accessible terminal sessions over WebSockets, which is unjustified by the stated task-manager purpose. Even at the manifest level, this mismatch is security-significant because it points to hidden or unnecessary remote-interaction capability that could enable command execution, persistence, or data access if implemented insecurely.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The frontend defines persistent terminal state and later initializes a browser-accessible terminal session over WebSocket, which is unrelated to the stated task-management purpose. Exposing an interactive shell in a business dashboard materially increases attack surface and can enable remote command execution or unauthorized host access if the backend terminal endpoint is reachable.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code fully implements a browser terminal, including UI toggling, local persistence, WebSocket connection to /terminal, resize signaling, and transmission of raw keystrokes to the server. In the context of a task manager, this is highly suspicious and dangerous because it creates a generic remote operator channel that could provide shell access to the host or application environment.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The page loads xterm.js and its fit addon, enabling an embedded terminal in a task-management dashboard whose declared purpose does not require shell access. Exposing terminal capability in a mismatched context materially increases attack surface and can facilitate command execution or operator deception if backend support exists elsewhere in the skill.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The terminal toggle button and connection status expose an interactive terminal workflow inside a task dashboard, which is context-inappropriate and may mislead users into invoking powerful functionality they did not expect. Even if not directly exploitable from this file alone, this hidden capability is a risky design indicator because it normalizes privileged access in an unrelated UI.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The server exposes a full interactive terminal over a WebSocket endpoint in a task-management dashboard, which is far beyond the stated functionality of the skill. Any connected client can send arbitrary shell input and receive command output, creating a remote command execution channel on the host running the dashboard.

Context-Inappropriate Capability

Critical
Confidence
100% confidence
Finding
The code spawns the user's real system shell and forwards its stdin/stdout to remote WebSocket clients. Because it uses the current environment and home directory, an attacker gaining access to this endpoint can execute arbitrary OS commands, read local files, alter data, and potentially pivot to other systems.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The documented workflow instructs the agent to start a local process and open a browser based on a user response, which expands the skill from task management into host-side execution and UI launching. Even though it is opt-in, these are privileged side effects that can be abused or unexpectedly triggered in automated contexts, and they are not strictly necessary to perform core task-management operations.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The file first presents the dashboard behavior as opt-in, then documents a configuration that skips the prompt and auto-launches the dashboard. This inconsistency weakens the stated safety boundary and can lead to unexpected process execution and browser opening, especially if configuration is enabled by default or inherited in unattended environments.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The completion workflow directs deletion from source files and archival into another file as a required action, but does not clearly warn the user that it will modify multiple task documents. In a skill that can operate on a configurable absolute path, silent multi-file mutation raises the risk of unintended data loss or destructive edits in user-controlled directories.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The terminal binds terminal.onData directly to terminalWs.send(data), forwarding every user keystroke to the server with no explicit consent, warning, or contextual explanation that the user is interacting with a remote session. In a task-management dashboard, this makes the feature more dangerous because users may not expect shell semantics and could unknowingly issue sensitive commands or expose credentials into a remote backend session.

Missing User Warnings

High
Confidence
98% confidence
Finding
The remote terminal is exposed with no visible authentication, authorization, or user warning, so anyone who can reach the WebSocket may obtain shell access without understanding or consent boundaries. In the context of a task dashboard, this hidden execution surface is especially dangerous because users would not reasonably expect terminal-level access to be present.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The trigger phrases are broad, generic, and multilingual, so ordinary user text such as 'check task numbering' or 'fix sequence' could unintentionally activate modification logic. In a task-management skill that edits persistent files, unintended invocation can cause unauthorized or surprising file changes, especially because the checklist mandates scanning and auto-fixing after activation.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger phrase 'When user requests to add or insert a task' is broad enough that ordinary conversation can unintentionally activate the task-modification flow. In an agent setting, this can cause unintended state changes to task lists from ambiguous or indirect user phrasing, especially if the skill is auto-selected without explicit confirmation.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger condition is broad enough that a generic user request to 'complete a task' could cause the agent to modify files without first confirming which list, which task, and whether destructive follow-up steps are desired. In this skill, activation immediately leads into deletion, renumbering, archiving, and statistics updates, so ambiguity materially increases the risk of unintended state changes.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
These instructions mandate destructive edits—deleting completed tasks and renumbering all remaining tasks—without warning the user about loss of stable identifiers, broken references, or possible accidental removal of information from the active list. In a task-management skill, these side effects are especially risky because users may expect completion to be reversible or non-destructive.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The delegation flow changes records associated with other people, including owner attribution and performance-style statistics, without any privacy notice, authorization check, or confirmation that the user is allowed to edit those records. In this context, the skill is more dangerous because it manages customer/project work and subordinate tasks, so edits can affect third-party data integrity and workplace accountability.

Known Vulnerable Dependency: express==4.18.2 — 2 advisory(ies): CVE-2024-43796 (express vulnerable to XSS via response.redirect()); CVE-2024-29041 (Express.js Open Redirect in malformed URLs)

Low
Category
Supply Chain
Confidence
90% confidence
Finding
express==4.18.2

Known Vulnerable Dependency: ws==8.14.2 — 2 advisory(ies): CVE-2024-37890 (ws affected by a DoS when handling a request with many HTTP headers); CVE-2026-45736 (ws: Uninitialized memory disclosure)

High
Category
Supply Chain
Confidence
98% confidence
Finding
ws==8.14.2

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal