ClawHub

Remind Me

Security checks across malware telemetry and agentic risk

Overview

This reminder skill is mostly purpose-aligned, but its cancel feature can delete reminders without verifying they belong to the current chat.

Review before installing, especially in shared or multi-chat environments. The skill should require channel/chat context for all cancel operations and verify the reminder tag before deletion. Single-user use is lower risk, but users should also know it may read USER.md for timezone and may update that file only after explicit consent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill instructs the agent to execute shell commands via `uv run ... main.py`, but the metadata declares no permissions for shell access. This creates a governance gap: reviewers and permission systems may underestimate the skill's capabilities, and an LLM following the skill may still invoke command execution without explicit authorization boundaries.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior claims channel/chat scoping and safe auto-detection, but the finding indicates cancellation operations are not actually scoped: cancel-by-name can affect jobs across chats, and cancel-by-ID can remove any job if the ID is known. In a multi-tenant reminder system, this enables cross-chat or cross-user interference, breaking isolation and allowing unauthorized deletion of other users' scheduled jobs.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
cancel_reminder_by_name fetches all jobs globally and matches solely on the human-readable name, without restricting results to the originating channel/chat. In a multi-tenant reminder skill that claims channel scoping, a user who knows or guesses another reminder's name could cancel reminders belonging to other chats or channels.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
cancel_reminder_by_id deletes any job by global ID with no verification that the job belongs to the requesting channel/chat. If job IDs can be discovered through logs, messages, or enumeration, this enables cross-chat deletion and breaks the skill's tenant isolation guarantees.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal