ClawHub

Cross Terminal Sync

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built for cross-device WorkBuddy sync, but it asks users to move sensitive agent state into OneDrive and alter persistent links, so it should be reviewed carefully before installation.

Install only if you intentionally want WorkBuddy state synced through OneDrive. Review which files will be linked before running setup, keep local backups, avoid syncing identity/profile/database files unless needed, and treat the optional MCP server as a separate third-party component that will receive OneDrive OAuth read/write access.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger phrases are broad and conversational, such as references to 'another computer' or 'sync Skill/project/config', which can cause the skill to activate during ordinary discussion rather than an explicit request to modify sync state. In this skill's context, activation can lead to filesystem relinking, cloud-connected setup, and cross-terminal data access guidance, so accidental invocation materially increases the chance of unintended sensitive operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
These steps rename existing ~/.workbuddy data and replace it with junctions/symlinks into OneDrive-backed locations, changing where the agent reads and writes core files such as MEMORY.md, IDENTITY.md, USER.md, SOUL.md, and workbuddy.db. That can expose sensitive local state to cloud sync, create data loss/confusion if links are wrong or partial, and alter persistence behavior without a strong warning, rollback plan, or explicit per-file consent.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal