ClawHub

planning-with-files

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local planning helper that creates and checks markdown task files, with no evidence of hidden network access, credential use, destructive behavior, or exfiltration.

Install this only if you want agents to keep persistent planning notes in your workspace. Review the two shell scripts before enabling runtime execution, avoid placing secrets in the generated markdown files, and delete task_plan.md, findings.md, and progress.md when you no longer want that saved context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger phrases are broad enough to match normal user requests such as 'help me build' or 'complex task', which can cause the skill to activate when the user did not explicitly consent to its workflow. In this skill, unintended invocation matters because activation leads directly into persistent file creation and scripted command execution, increasing the chance of side effects beyond the user's expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill normalizes persistent filesystem writes as part of routine operation without requiring any user-facing disclosure or consent. This is risky because it can store sensitive task details, create unexpected artifacts, and persist data across sessions in ways the user may not anticipate, especially since the filesystem is explicitly treated as long-term memory.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The session start protocol says to 'ALWAYS' run a shell script first, with no requirement to explain or obtain consent for command execution. This is more dangerous in context because the command is mandatory, happens at session start, and uses interpolated task description input, creating a path for unexpected side effects or unsafe handling if the script or its arguments are not tightly controlled.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The completion step requires running another shell script without notifying the user or describing its behavior. Although lower risk than the startup script because it is a verification step, it still introduces opaque command execution and potential side effects at the end of a task.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal