ClawHub

Mingle

Security checks across malware telemetry and agentic risk

Overview

Mingle is a disclosed professional-networking skill, but users should understand it can automatically check the remote service when connected.

Install this only if you want your assistant connected to Mingle's remote networking service. Review every card and intro before approving, avoid confidential details, and remove or update stale cards when you no longer want to be discoverable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill makes contradictory privacy claims: it says network calls happen only when a tool is explicitly called, yet Rule 1 instructs the assistant to silently call `get_digest` at the start of every session. That discrepancy undermines informed consent and transparency, and can cause users to be network-contacted or have session metadata checked without a clear contemporaneous prompt.

Vague Triggers

Medium
Confidence
93% confidence
Finding
Triggering this networking skill at the start of every session whenever it is connected is overly broad because it is unrelated to the user's immediate intent and causes unsolicited handling of networking state. In context, this expands the surface for privacy-invasive behavior by making the skill activate during arbitrary conversations, not only when the user asks for networking help.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to silently perform `get_digest` at session start creates a non-transparent outbound network action before the user is notified at the point of use. For a networking skill that may expose interest, presence, or pending introductions, silent activation is especially risky because users may not expect any external check to occur merely by opening a chat.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal