ClawHub

Friends DB

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local friends CRM helper that handles sensitive personal and calendar data, but I found no hidden exfiltration, deception, or unsafe automatic behavior.

Install only if you want OpenClaw to maintain a persistent local friends/contact CRM. Treat the database and backups as private, run migration with --replace-with-stub only when you intend to replace friends.md, and use sync-calendar only after checking the calendar account and date range are appropriate.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill invokes shell commands and performs file reads/writes, including access to a private workspace file and updates to local state, yet declares no permissions. That omission weakens review and consent boundaries because users and orchestration layers cannot accurately understand or gate the skill's real capabilities.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The documented purpose understates the skill's behavior: it not only queries a local contacts database, but also migrates data from friends.md, rewrites files, maintains richer relationship-tracking fields, and syncs calendar-derived interaction history. This mismatch is dangerous because it can lead users or policy systems to approve a seemingly simple lookup skill that actually modifies local data and pulls additional sensitive context from external calendar sources.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill description presents a local friends-database lookup/update tool, but the implementation introduces CRM logic, cadence tracking, and calendar-derived relationship analysis. This scope expansion matters because users and higher-level agents may grant access based on the manifest and not expect profiling-style processing of personal relationship data.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This code reads external Gog configuration and invokes the `gog` CLI to access calendar data, which is a materially broader capability than a local SQLite friends database helper. It expands the trust boundary from local file management to external account-backed data access, creating a privacy and overreach risk if agents invoke the skill assuming only local-database operations occur.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The calendar sync routine imports historical calendar events, matches them to contacts via emails and text mention heuristics, and persists those interactions into the friends database. This creates sensitive derived relationship data from a source not disclosed in the manifest, increasing the privacy impact because calendar contents can reveal meetings, locations, and social patterns beyond contact details.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The CLI exposes a broad friend-CRM surface, including private notes, cadence, pauses, tags, interaction logs, and suggestions, which goes beyond simple database lookup/maintenance described in the metadata. In the skill context, undisclosed capability expansion is risky because it can cause agents to store or manipulate more sensitive personal data than the operator intended.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The migration command includes a --replace-with-stub option that can overwrite friends.md, but the skill text does not present this as a destructive operation or require confirmation. In a personal data-management context, this creates risk of accidental data loss or unexpected modification of a user-maintained source file containing sensitive contact notes.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
The calendar sync path pulls account-backed calendar data and links it to contact records, but there is no in-file user-facing warning or consent checkpoint before this privacy-sensitive processing. In this skill context, that omission is more dangerous because the tool is presented as a local friends database helper, so users may not anticipate cross-source correlation of calendar history with personal contacts.

Missing User Warnings

Medium
Confidence
74% confidence
Finding
The migrate command can rewrite `friends.md` into a stub after import when `--replace-with-stub` is used, but the code does not present a strong warning or confirmation prompt immediately before destructive modification. That creates a data-integrity risk in a personal knowledge-management context because the original markdown source may be unexpectedly replaced despite being a primary user-managed artifact.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal