ClawHub

brain 大脑

Security checks across malware telemetry and agentic risk

Overview

This skill is a memory and subagent orchestration tool, but it includes broad command execution and persistent task-memory handling that need careful review before installation.

Install only if you are comfortable with a skill that can persist task details in ~/.openclaw/workspace, inject prior memory into later sessions, spawn subagents, and provide a generic shell command wrapper. Avoid putting secrets, credentials, customer data, or sensitive internal plans into tasks unless you first remove or harden the logging, memory injection, and exec mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises and appears to rely on environment-aware script execution, file access, and session orchestration, yet no explicit permissions are declared. That mismatch weakens user consent and security boundaries because operators may install the skill believing it is documentation-only while it can access runtime context and local state.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a substantive capability mismatch: the description frames the skill as a decision/memory aid, but the referenced behavior includes arbitrary command execution, spawning subagents, and persistent file modification under the user's workspace. In an agent ecosystem, hidden execution and persistence capabilities materially increase the chance of unauthorized actions, data exposure, and difficult-to-audit side effects.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The helper writes task-derived content and routing telemetry into persistent workspace logs, but the skill metadata does not clearly disclose that user prompts and internal decisions are stored on disk. This creates an information disclosure and retention risk because sensitive task details may be captured, persisted, and later accessed by other local processes or users.

Description-Behavior Mismatch

High
Confidence
91% confidence
Finding
The implementation materially exceeds the skill's stated 'brain/memory/decision' purpose by introducing a generic execution watchdog and subagent launcher. This capability mismatch is dangerous because it can conceal powerful execution primitives inside a skill users would not expect to invoke shells or spawn agents, undermining informed trust and review.

Context-Inappropriate Capability

Critical
Confidence
99% confidence
Finding
execWithRetry passes an arbitrary string directly to execSync, which invokes a shell and permits unrestricted command execution in the current environment. In an agent skill context, this becomes highly dangerous because any upstream prompt, task, or user-controlled input that reaches this function can lead to full command injection, file access, data exfiltration, or destructive system changes.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
runSubagent can spawn external subagent sessions through a CLI command, effectively delegating work and permissions to another runtime without clear scope restriction or justification. This expands the attack surface because untrusted task content may trigger autonomous actions, recursive orchestration, or indirect execution beyond the user's expected 'brain' functionality.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The installation instructions tell users to enable automatic context injection from memory files, but they do not warn that sensitive contents from snapshots or work buffers may be injected into future sessions. This creates a realistic privacy and confidentiality risk because secrets, personal data, or prior-task artifacts can be propagated beyond their intended scope.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Advertising semantic search across historical memory without retention and privacy disclosures is dangerous because users may not realize prior task data is being indexed and surfaced later. Historical memory systems can unintentionally expose secrets, proprietary information, or personal data in unrelated contexts if retention and access controls are not clearly bounded.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This script reads potentially sensitive workspace files from the user's home directory and prints a synthesized context object to stdout, including extracted snapshot data and part of the working buffer. In an agent/skill setting, stdout is commonly consumed by other components or logs, so this creates an unguarded disclosure path for personal data, task context, and transient notes without consent, minimization, or access controls.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script persists task names, plans, subagent information, and completion results into predictable local memory files under the user's home directory without any consent prompt, sensitivity filtering, or access-control checks. In an agent skill context, those fields can contain API keys, internal plans, customer data, or other secrets, so local persistence increases the risk of unintended disclosure through later reads, backups, sync tools, or other local processes.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script logs the full task description verbatim to disk without warning, and task text can easily include secrets, credentials, customer data, or internal project details. Persisting raw user input in a predictable workspace path increases the chance of unintended disclosure through local access, backups, sync tools, or later reuse by other automation.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The routing decision JSON includes the original task and is written to persistent storage without a clear user warning. Because the JSON also captures model selection, verification flags, and derived reasoning metadata, it broadens the amount of sensitive operational context retained beyond the immediate execution need.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code writes task JSON to a predictable /tmp path based only on Date.now(), which may expose sensitive task data to other local processes and is vulnerable to race conditions or symlink attacks in shared environments. Even if the file is later deleted, transient disclosure can still occur and the path is not created with secure random naming or exclusive permissions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The CLI exposes a direct 'exec' mode that accepts arbitrary commands from command-line arguments and executes them, with only timeout/retry wrappers and no safety gating. In practice this provides a ready-made remote-operation primitive if an agent or user is induced to call the script with attacker-controlled input, and the lack of warning or permission checks increases accidental misuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The script deliberately constructs session injection text containing user information, current tasks, recent conclusions, and up to 500 characters of the working buffer for inclusion in every session. In an AI agent skill, this materially increases exposure because sensitive memory is transformed into prompt text that may be forwarded to models, plugins, logs, or downstream tooling, turning private workspace state into a broad natural-language leakage channel.

Ssd 3

Medium
Confidence
97% confidence
Finding
Verbatim logging of task input to memory files creates a clear sensitive-data retention issue. In agent workflows, prompts frequently contain proprietary code, incident details, tokens, filenames, or business context, so storing them unfiltered materially increases confidentiality risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
Writing the entire routing decision object to a workspace memory log retains both source task content and internal execution metadata for later access. This expands the attack surface because anyone with access to the workspace can recover user intent, potentially sensitive inputs, and system behavior over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal