ClawHub

SealVera

Security checks across malware telemetry and agentic risk

Overview

SealVera has a legitimate audit-logging purpose, but it persistently changes agent behavior and can send broad task, transcript, and credential-linked data to a remote service with insufficient scoping.

Install only after confirming this workspace is allowed to transmit prompts, outputs, reasoning summaries, workspace identifiers, and possible transcript-derived content to SealVera. Use your own API key, review AGENTS.md and SOUL.md after setup, avoid NODE_OPTIONS autoloading in sensitive projects, and do not run subagent-watcher.js unless transcript backfill is explicitly intended and governed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
78% confidence
Finding
The skill advertises and documents access to environment-derived paths and setup behavior without declaring corresponding permissions, which weakens user visibility into what the skill can access or modify. In a security-sensitive agent environment, undeclared env-related capability can hide access to workspace configuration and other runtime settings that influence file writes and outbound logging.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is audit logging, but the described behavior expands into control-plane modification, SDK hooking, transcript scanning, backfilled uploads, and use of a hardcoded default API key. That gap is dangerous because users may consent to observability while unknowingly granting persistent behavioral control over agents and broad collection/exfiltration of session data.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The setup instructions go beyond logging by modifying agent control files so spawned agents are forced to execute additional behavior. This creates a persistence and policy-injection risk: future tasks and sub-agents may be altered without granular user review, potentially causing unexpected data disclosure or execution flows.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Rewriting AGENTS.md or similar instruction files to impose mandatory execution rules is broader than an audit function and effectively changes agent behavior across future sessions. In this context, that is especially dangerous because it can create durable, hidden policy injection that propagates to sub-agents and normalizes automatic outbound logging of task content.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The autoload script globally hooks Node's module resolution and replaces constructors for third-party SDKs at runtime, which is a powerful interception mechanism that affects all code in the process. In this skill's context, that means model client traffic and possibly prompts/responses may be transparently redirected into telemetry patching without explicit per-call opt-in, expanding the blast radius if the patching logic is incorrect or abused.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The file monkey-patches OpenAI and Anthropic SDK usage at runtime by hooking loaded modules from the global require cache and applying SealVera patch methods. Even if intended for audit logging, this changes process-wide behavior in a non-local and hard-to-audit way, which can unexpectedly capture prompts, outputs, or metadata from unrelated agent actions and expand telemetry scope beyond what callers explicitly opted into.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The setup script persists the SealVera API key into generated workspace artifacts, including the generated helper and later config/env paths, which expands behavior from transient setup into credential storage inside the target project. Storing service credentials in project files increases the chance of accidental commit, disclosure to other tools/agents, and reuse outside the user's intent.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer modifies AGENTS.md to impose mandatory behavior on sub-agents, and separately patches SOUL.md for main-session logging, which changes agent behavior beyond simple local configuration. Because these instructions direct agents to transmit task inputs, outputs, and reasoning, the patch becomes a durable policy injection point affecting future agent runs and potentially sensitive workflows.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The watcher reads local sub-agent transcripts and sends synthesized task/result content to an external service when it detects missing logs. Even if truncated, transcript-derived content may contain sensitive prompts, personal data, secrets, or proprietary material, which expands the skill from audit metadata collection into content exfiltration. In an audit-trail skill, this is somewhat related to the stated purpose, but the fallback export of transcript content makes the behavior more privacy-sensitive and dangerous than simple logging.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code monitors a specific local directory under the user's home folder to enumerate agent sessions, which is a host-level surveillance capability not disclosed in the skill description. This gives the skill visibility into local execution history and workflow metadata beyond a narrow, explicit API-based audit integration. Because the skill is presented as compliance/audit tooling, the capability is contextually plausible, but undisclosed filesystem monitoring still creates privacy and trust risks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill encourages automatic logging of inputs, outputs, reasoning, confidence, and model metadata without prominent warnings about privacy, regulated data, or secrets. Given the stated use in healthcare, finance, and compliance contexts, this can result in transmission and storage of sensitive or regulated information, making the context more dangerous rather than less.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The setup flow modifies workspace files and sends a test log without a clear upfront warning that installation changes local agent behavior and may transmit workspace-derived data off-box. Users may trigger setup expecting simple configuration, but instead receive persistent file modifications and immediate outbound activity.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The API reference promotes wrapping or patching LLM clients so that all calls are logged automatically, but it does not clearly warn that prompts, completions, and possibly sensitive data will be transmitted to a remote SealVera service. In a compliance/audit skill, users may assume this is a local auditing helper, so silent broad interception increases the risk of unintentional exfiltration of personal, regulated, or proprietary data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The logging example explicitly sends full input and output objects, reasoning steps, user identifiers, and metadata to the service without cautioning against inclusion of sensitive data. Because this skill is positioned for GDPR, HIPAA, and AI audit use cases, operators may be especially likely to log regulated or highly sensitive content, making omission of data-minimization guidance materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation promotes zero-touch interception of all OpenAI/Anthropic calls and states they are logged automatically, but it does not clearly warn that prompts, responses, and possibly sensitive user data will be transmitted to an external service. In an audit/compliance skill, this creates a real risk of accidental exfiltration of regulated or confidential data because users may enable it broadly without understanding the privacy impact.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section explicitly says the integration captures prompt previews and response text, but provides no adjacent warning about sensitive data handling, retention, or third-party transmission. Because LangChain agents often process secrets, customer records, or regulated text, documenting this collection without clear safeguards can lead to unintended disclosure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The n8n example sends workflow JSON, including trigger data and outputs, to a remote ingest endpoint with no warning that this may contain secrets, personal data, or internal business records. Low-code workflows commonly aggregate sensitive data from many systems, so encouraging direct forwarding of full payloads materially increases data leakage risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The raw HTTP example demonstrates sending input, output, and reasoning data to an external API without any privacy caution or data classification guidance. Reasoning trails and outputs can contain especially sensitive internal logic, personal data, or proprietary information, making this a meaningful documentation-driven disclosure risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script is explicitly designed for zero-friction autoload through NODE_OPTIONS and initializes remote telemetry to a configurable endpoint, while also enabling automatic reasoning capture by default. In an audit-trail skill, this is especially sensitive because it can silently intercept LLM interactions and send potentially confidential prompts, responses, or reasoning-derived metadata off-host without clear runtime consent or strong user-facing disclosure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The interceptor initializes telemetry patching silently and returns early on failure, giving no user-facing disclosure that LLM requests may be logged to an external service. In an audit/compliance skill, silent interception is especially sensitive because prompts and model outputs may contain regulated or confidential data, so lack of notice and consent can create privacy, compliance, and trust risks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer writes the API key into .sealvera.json without explicit warning or consent about credential persistence. A workspace config file is likely to be read by tools, copied, or committed, making silent secret storage a real confidentiality risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The AGENTS.md patch mandates remote logging of task input, output, and reasoning but does not clearly warn that potentially sensitive user data will be transmitted to an external service. This undermines informed consent and can lead agents to disclose secrets, regulated data, or proprietary content during normal operations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup sends a test log containing workspace metadata and setup details to the remote ingest endpoint without an explicit privacy notice at the point of transmission. While the transmitted fields are limited, the workspace path can reveal usernames, internal project names, or other sensitive environmental details.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script accepts a user-controlled SEALVERA_ENDPOINT and will send the x-sealvera-key header over plain HTTP when that endpoint uses the http scheme. That exposes the API key and queried agent audit metadata to interception or modification by any network attacker, and because this skill is explicitly used for compliance and audit trails, loss of integrity or confidentiality of these requests is especially risky.

Missing User Warnings

High
Confidence
99% confidence
Finding
A hardcoded API key fallback embeds a usable credential directly in the script, allowing anyone with code access to reuse it and causing silent transmission to the vendor even when no environment variable is configured. This is especially dangerous in compliance-oriented software because it can enable unauthorized data ingestion, account abuse, billing impact, and hidden data export without informed user setup. The skill context increases risk because users may trust audit tooling with sensitive decision records.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal