ClawHub

Snipara Mcp

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a legitimate Snipara integration, but it exposes persistent remote memory, document upload/sync, deletion, and multi-agent coordination tools with limited in-tool warnings or confirmation controls.

Install only if you are comfortable sending selected queries, session context, memories, and uploaded document contents to Snipara. Use scoped credentials, avoid storing secrets or regulated data, review/delete memories periodically, and be especially careful with bulk sync delete_missing, summary deletion, memory deletion, and swarm state tools.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill is presented as a documentation search tool, but it also exposes document upload, bulk sync, summary storage, and other mutation capabilities. This expands the trust boundary from read-only retrieval to persistent modification of indexed content, creating risk of data exfiltration, poisoning, or unintended writes if an agent uses these tools automatically.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Persistent memory is unrelated to the core smart documentation search use case and enables storage of user preferences or other session-derived data across conversations. Without strong consent and data minimization controls, this can lead to privacy issues, retention of sensitive information, and cross-session leakage of contextual data.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Template and shared collection management go beyond the stated documentation search function and introduce administrative capabilities that can alter shared prompts, standards, or uploaded content. These features can be abused to poison shared context, influence future agent behavior, or expose internal standards across a team.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Swarm orchestration, resource claiming, state mutation, and task management dramatically exceed the advertised documentation search purpose and create a broad control surface for multi-agent coordination. If exposed through a seemingly benign search skill, these functions could be used to coordinate unintended actions, overwrite shared state, or lock resources under the guise of documentation assistance.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The module advertises itself as a documentation-query server, but it also exposes state-changing capabilities such as document upload/sync, summary deletion, memory storage/deletion, and multi-agent coordination. That mismatch can cause users or calling agents to grant trust or invoke the skill under a narrower threat model than the code actually warrants, increasing the chance of unintended destructive or privacy-impacting actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README advertises persistent memory across sessions and shows storing user preferences, but it does not clearly warn that user-provided content may be retained remotely and reused later. In an agent/MCP context, this can lead to privacy surprises, accidental retention of sensitive data, and non-obvious cross-session exposure.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents document upload and bulk sync features without an explicit warning that repository or document contents are transmitted to Snipara's external API. In a code-assistant setting, users may unknowingly send proprietary code, credentials, or internal documents off-host.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill promotes storing preferences and recalling them across sessions but does not provide a clear privacy warning, consent workflow, or guidance against storing sensitive data. This is dangerous because users may unknowingly have personal or confidential information retained persistently and reused later without clear visibility or control.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The inject tool sends arbitrary user-provided session context to a remote Snipara API, but neither the function nor the exported tool description makes the off-box transmission explicit. In an agent-tooling setting, this can cause operators or downstream agents to submit secrets, proprietary code, or sensitive prompts under the assumption the action is local-only.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The remember tool transmits arbitrary content to a remote service for storage and later recall, but the interface does not clearly warn users about external transmission or persistence semantics. That creates a real risk of confidential data being unintentionally retained outside the local environment, especially because the feature is framed as convenient cross-session memory.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The upload_document tool sends full document contents to the remote API, yet the description does not prominently warn that complete file contents leave the local environment. In practice, agents may upload source code, internal docs, credentials, or regulated data, making unintentional exfiltration a significant risk.

Missing User Warnings

High
Confidence
97% confidence
Finding
The sync_documents tool can bulk upload document contents and, when delete_missing is enabled, remove remote documents to match the submitted list, but this destructive and external effect is not clearly disclosed. In an agent context, unclear semantics around remote deletion and synchronization can lead to large-scale unintended data exposure or loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The bulk sync tool exposes a delete_missing option that can remove documents not present in the submitted list, but the server performs no explicit warning, confirmation, or safety interlock before forwarding the request. In an agent setting, a mistaken or prompt-injected invocation could wipe project documentation at scale with a single call.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The summary deletion handler immediately forwards deletion requests without presenting a clear warning or requiring confirmation from the caller. Because summaries may be reused for future responses, accidental or adversarial deletion can silently degrade system behavior and destroy retained project knowledge.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The memory deletion tool allows deleting memories by ID or broad filters with no user-facing confirmation or execution friction. In this context, memories may contain high-value user, team, or project context, so an unintended call can erase operational knowledge or cover tracks after misuse.

Ssd 3

Medium
Confidence
92% confidence
Finding
The memory tools are explicitly designed to store and semantically recall free-form facts, preferences, context, and user-provided information, which creates a durable retention and retrieval channel for sensitive data. In an MCP/agent environment, this increases the risk of privacy leakage, over-retention, cross-session disclosure, and prompt-driven exfiltration of previously stored secrets or personal data.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal