ClawHub
Back to skill

Security audit

Proactive Trigger

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its proactive-reminder purpose, but it needs review because it stores behavioral state, trusts shared local signals, and includes an unsafe shell-based OpenClaw command wrapper.

Install only if you are comfortable with a proactive assistant component that keeps local behavioral history and reads shared OpenClaw signal files. Before using it, restrict trusted signal writers, replace or disable the shell-based OpenClaw wrapper, and periodically inspect or clear the .soul state and log files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The module uses shell execution both to probe for the CLI and later to invoke it with dynamically constructed arguments. Because `toolName` and parameter values are interpolated into a shell command and only double quotes are escaped, shell metacharacters such as command substitution can still lead to command injection and arbitrary command execution.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The code sets `state.lastTriggerTime` to `now` before checking whether the stored trigger date differs from today, so the subsequent date comparison always uses today's date and never resets `triggersToday` on a new day. This breaks the daily-rate-limit logic and can either suppress intended protections or cause incorrect trigger accounting, undermining a safety control in a proactive messaging system.

Intent-Code Divergence

Low
Confidence
94% confidence
Finding
The script reads pending signals but never actually marks them resolved, despite comments indicating that it should. In this context, unresolved pending items can be reprocessed on later runs, causing duplicate proactive outreach, repeated state updates, and potential user annoyance or spam-like behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module can send and log outbound trigger messages even though the skill is described as a trigger-decision engine, expanding it from decision support into action execution. In agent systems, this kind of capability creep is dangerous because it lets a component intended only to decide timing directly affect users and system state, increasing the blast radius of prompt or logic abuse.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code executes external commands via execSync to probe for and invoke the OpenClaw CLI, which is a powerful capability not justified by a trigger-timing utility. Although parameters are partially quoted, command construction still relies on shell invocation with attacker-influenced tool names and arguments, creating command-injection and unintended command-execution risk if inputs or environment are manipulated.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
This code path performs message transmission behavior, which exceeds the stated role of deciding when intervention should occur. In context, that makes the skill more dangerous because a component meant to observe and decide can instead autonomously act on users, enabling unsolicited contact, abuse of agent autonomy, and policy bypass through a utility module.

Context-Inappropriate Capability

Low
Confidence
82% confidence
Finding
The embedded test harness writes, reads, and resolves live signals in the real workspace rather than an isolated test environment. If invoked in production, it can pollute pending/processed queues, alter system behavior, and hide or consume legitimate signals, creating integrity issues for automation that depends on these files.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description uses broad triggers such as 'user silence,' 'interest decay,' and 'timing maturity' without clear thresholds, consent boundaries, or scope limits. In a proactive intervention engine, ambiguous activation criteria can cause unsolicited actions, privacy-invasive inference, or boundary-crossing behavior when integrated with downstream automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document specifies persistent storage of detailed trigger-state data, including topic history, user interest, activity timestamps, response behavior, and avoided topics, but does not mention user notice, consent, retention limits, or access protections. In this skill context, that data supports proactive behavioral inference, so silent local retention increases privacy risk and could expose sensitive profiling data to other local users, malware, backups, or support workflows.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
`context_update` persists arbitrary key/value data to disk in a shared workspace file without notice, consent, retention limits, or data minimization. In a multi-skill or multi-user environment, this can silently store sensitive user-derived data and make it available for later access or misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The `sendMessage` path writes full message contents to `trigger-messages.log` without warning, which can capture sensitive user or system content in plaintext. Persistent logs increase exposure through later access, backup leakage, or cross-component reuse beyond the user's expectations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The function appends raw message content to a workspace log file, which may contain sensitive user data or inferred private context, without minimization, redaction, retention limits, or disclosure. If the workspace is accessible to other skills, users, or processes, this creates a straightforward confidentiality risk and persistent privacy leakage.

Ssd 3

Medium
Confidence
91% confidence
Finding
The script persistently stores user responses and topic history in plaintext under the user's home directory, creating a local accumulation of potentially sensitive conversational data. If the host is shared, compromised, backed up insecurely, or inspected by other local processes, this retained data can expose private interests, emotions, and behavior patterns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal