ClawHub

乐知班温馨提醒

Security checks across malware telemetry and agentic risk

Overview

This skill mostly does what it says, but it also directs automatic Feishu sending and local file cleanup in ways users should review before installing.

Install only if you want reminder text and generated images sent through the configured Feishu channel automatically. Before use, review or disable the cleanup commands, HEARTBEAT.md integration, and referenced cleanup_reminders.sh script, and avoid putting sensitive student or personal information in reminder notes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill includes deletion commands over user-accessible directories and references an external cleanup script in the workspace, which expands its capabilities beyond the core task of generating and sending one reminder image. Even if intended as housekeeping, automatic deletion and script execution create unnecessary risk of data loss or misuse if file patterns, paths, or future edits are wrong.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill automatically sends generated images and message text to Feishu, but the description does not present this as a clear up-front warning or consent boundary. This can lead to unintended disclosure of user-provided notes or schedule information to a third-party channel without the user fully realizing transmission happens automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill describes automatic deletion of reminder images older than 7 days without a prominent warning to the user. While scoped to matching filenames, silent retention cleanup can still surprise users and remove files they expected to keep, especially in shared or manually reused directories.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal