ClawHub

Cfm Redis

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed Redis-based agent messaging helper, but users should treat stored and forwarded message contents as sensitive.

Install only if you are comfortable with Redis retaining recent inter-agent messages. Keep Redis local or authenticated, avoid sending secrets through CFM, disable or tightly control webhook forwarding, and periodically purge message history if retention is not desired.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (18)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill exposes meaningful capabilities beyond what is declared: it reads and writes local files, opens network connections to Redis, and documents outbound HTTP webhook transmission. Undeclared capabilities reduce informed consent and make it easier to deploy functionality that can persist state or exfiltrate message contents without operators realizing the full risk surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior goes beyond a generic local messaging utility by including agent-specific reporting workflows, hardcoded reply/report helper scripts, local tracking files, and webhook forwarding. This mismatch can hide operationally sensitive behavior, especially message forwarding to named agents or external endpoints, under an innocuous 'Redis messaging' description.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The documentation instructs operators to rely on a --last-check-file deduplication control that does not exist in the shown implementation. This inconsistency can cause repeated processing and repeated reporting of prior messages, which in practice may leak old content multiple times or trigger duplicate automated actions.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The documentation describes CFMMessenger as a context manager with listener-thread side effects, but the provided class lacks __enter__/__exit__ and any such thread. Users following the documented pattern may build unsafe automation around nonexistent lifecycle guarantees, leading to crashes, missed cleanup, or incorrect assumptions about background message handling.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill is presented as a Redis-based local messaging solution, but the documentation adds outbound webhook posting not reflected in the core implementation or manifest. This expands the data-exposure boundary from local IPC to arbitrary external HTTP transmission, which is materially more dangerous than the declared model suggests.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The daemon includes outbound HTTP webhook delivery even though the skill is described as a Redis Pub/Sub communication component. This expands the trust boundary and creates an additional exfiltration path for all received message content, especially because the webhook target is configurable and the full message body is forwarded.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code accepts an arbitrary webhook URL and later sends received Redis messages to that endpoint, enabling data exfiltration to attacker-controlled destinations if configuration is influenced or misused. In a messaging daemon, forwarding untrusted inbound content to arbitrary external endpoints is a meaningful capability increase beyond the stated Redis-only purpose.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README promotes automatic message persistence and periodic inspection of Redis-stored messages, but it does not warn that stored agent communications may contain sensitive prompts, secrets, or user data. In an agent setting, silent retention plus automated review increases the chance of unintended disclosure, over-collection, and privacy violations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README instructs users to create an automated cron job that polls Redis messages and explicitly prints message contents back to the operator, but it provides no warning about privacy, access control, or handling of sensitive data. In an agent environment, this can lead to routine disclosure of private inter-agent communications, especially if message channels carry credentials, prompts, or operational data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The webhook example sends collected message contents to an external endpoint without warning about confidentiality, trust boundaries, or destination control. In a messaging skill, message bodies may contain sensitive agent data, so silent egress to arbitrary URLs creates a real exfiltration risk.

Missing User Warnings

Low
Confidence
77% confidence
Finding
The check script writes persistent state to ~/.cfm/<agent>/processed.txt without prominently warning users that message metadata will be retained locally. In agent environments, silent persistence can leak communication history or identifiers across sessions, surprise users, and create unintended retention of sensitive workflow data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The webhook example forwards message contents to an arbitrary external URL without any privacy, trust-boundary, or data-handling warning. In practice, messages may contain secrets, internal prompts, task outputs, or user data, so this pattern can cause unintentional exfiltration to third-party services.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Webhook mode transmits the full received message over HTTP with no explicit consent flow, warning, or data minimization. If messages contain secrets, prompts, tokens, or internal workflow data, this can leak sensitive information outside the Redis-based local communication context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The cron example instructs an agent to read Redis message history and reveal message contents in plain language. That creates a concrete data-exfiltration pathway from persisted inter-agent communications to another agent or user-facing output, especially if messages contain sensitive operational or user data.

Ssd 3

Medium
Confidence
83% confidence
Finding
The skill encourages forwarding/reporting message content in bulk without clear minimization, filtering, or sensitivity controls. Accumulated message history can contain more data than necessary for the task, so broad forwarding increases privacy and data-leak risk.

Ssd 3

Medium
Confidence
95% confidence
Finding
The webhook example explicitly sends newly collected messages to an arbitrary external endpoint. Without authentication, destination restrictions, or minimization, this is a straightforward exfiltration path for any content flowing through the Redis message bus.

External Transmission

Medium
Category
Data Exfiltration
Content
if new_msgs:
            # 触发webhook
            import requests
            requests.post(webhook_url, json=new_msgs)
```

## 消息格式
Confidence
97% confidence
Finding
requests.post(webhook_url, json=

Session Persistence

Medium
Category
Rogue Agent
Content
### 3. 下载CFM库

```bash
mkdir -p ~/.shared/cfm
# 将 cfm_messenger.py 和 cfm_cli.py 放入此目录
```
Confidence
83% confidence
Finding
mkdir -p ~/.shared/cfm # 将 cfm_messenger.py 和 cfm_cli.py 放入此目录 ``` ## 使用方法 ### 发送消息 ```bash cd ~/.shared

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal