ClawHub
Back to skill

Security audit

Signet Guide

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real mental-health companion guide/app, but it makes local-only and encryption claims that do not match the bundled code's sensitive data handling.

Review this carefully before installing. It may store mental-health conversations and mood data in readable local database files despite saying they are encrypted, and chat mode may send recent history and profile context to a Signet CLI whose local-vs-remote behavior is not clearly explained. Use it only if you are comfortable with those data flows, and do not rely on it for emergency or professional mental-health care.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Output HandlingUnvalidated Output Injection, Cross-Context Output, Unbounded Output
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Use signet CLI to generate response
            result = subprocess.run(
                ["signet", "chat", "--context", context, "--prompt", user_message],
                capture_output=True,
                timeout=30,
Confidence
92% confidence
Finding
result = subprocess.run( ["signet", "chat", "--context", context, "--prompt", user_message], capture_output=True, timeout=30,

Lp1

High
Category
MCP Least Privilege
Confidence
75% confidence
Finding
The skill uses 'shell' capability that is not listed in its permissions. This may indicate deceptive intent or missing permission declarations.

Tp4

High
Category
MCP Tool Poisoning
Confidence
85% confidence
Finding
The skill metadata presents a narrow, privacy-focused offline wellness guide, but the analyzed behavior reportedly includes external subprocess-driven chat, transmission of user messages/context to another tool or service, persistent transcript/profile storage, and crisis-response handling not disclosed in the description. In a mental-health context, this mismatch is especially risky because users may share highly sensitive information under the assumption that interactions remain local and limited to wellness tools, leading to privacy harm, unsafe handling of crisis situations, and uninformed consent.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The module explicitly claims to handle encrypted local storage, but all conversation and mood data are written directly into plaintext SQLite databases. In a mental health companion, this data is highly sensitive, so anyone with local file access, backups, or malware access can read private conversations, mood history, notes, triggers, and profile data.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The CLI tells users that all conversations are stored locally and encrypted, but chat mode later establishes a Signet AI connection, which implies user messages may be transmitted off-device. In a mental-health context, this is a significant transparency and consent problem because users may share highly sensitive information under a false assumption of local-only handling.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The manifest describes a local mental health companion, but the chat flow sends prompts to a Signet AI-backed response engine. This creates a capability mismatch that can mislead reviewers and users about the app's true data flows and trust boundaries.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The code introduces external AI processing for a tool framed as a local mental-health companion, which is especially risky because users may disclose crisis details, diagnoses, medications, or other sensitive health data. If transmitted externally without clear justification and consent, this can cause serious privacy harm and regulatory exposure.

Scope Creep

High
Confidence
93% confidence
Finding
The import and use of a Signet connection indicates an undeclared external communication capability despite permissions listing only file.read and file.write. Hidden network behavior undermines permission-based trust and can allow exfiltration of sensitive user conversations outside the declared security model.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The manifest describes a local mental health companion, but the implementation checks for and relies on an external Signet CLI. This mismatch can mislead users into sharing sensitive mental-health information under false assumptions about locality and privacy.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
Executing an external subprocess in a skill presented as a local guidance companion expands the trust boundary and may expose sensitive user data to software outside the declared environment. In a mental-health context, this is especially dangerous because users may reveal crisis details, mood history, and personal context expecting purely local handling.

Intent-Code Divergence

Low
Confidence
83% confidence
Finding
The module documentation openly states that it connects to Signet AI, which conflicts with the manifest's local-companion framing. On its own this is not an exploit, but it evidences inconsistent disclosure that can contribute to unsafe user assumptions about privacy and data handling.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code persistently stores sensitive mental health data to local disk without any visible consent, warning, or disclosure mechanism in this component. In the skill context, storing conversations, moods, notes, and triggers without clear user awareness increases privacy risk and may expose users to harm if they assume the companion is ephemeral or confidential.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
Chat mode begins without a clear upfront warning that conversations will be stored locally, even though the application handles sensitive mental-health discussions. Users may reveal personal or health-related information before understanding that it will be retained.

Missing User Warnings

Low
Confidence
68% confidence
Finding
Showing prior conversation snippets directly on screen can expose sensitive mental-health content to shoulder surfing, screen recording, or shared-terminal use. While this is expected behavior for a history feature, the lack of warning or redaction increases privacy risk in a sensitive context.

Missing User Warnings

High
Confidence
99% confidence
Finding
This code transmits sensitive mental-health content—including the live prompt, recent conversation turns, and user profile details—to an external CLI without any visible notice, consent, or minimization. In a mental-health skill, unauthorized or unexpected disclosure can cause severe privacy harm, regulatory exposure, and user safety issues if crisis data is shared externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill presents breath-holding and rapid-breathing exercises as general wellness guidance without any screening, contraindications, or warning to stop if the user feels dizzy, panicked, or unwell. In a mental-health companion context, users may be especially vulnerable, and these exercises can worsen symptoms or create physical risk for people with panic, asthma, cardiovascular issues, pregnancy, or other medical conditions.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code detects moods including 'depressed' and 'hopeless' but responds only with generic self-help suggestions and no crisis escalation, emergency instruction, or encouragement to contact a trusted person or professional. In a local mental-health companion, omission of safety escalation for hopelessness can delay appropriate intervention for users at risk of self-harm or acute crisis.

Unvalidated Output Injection

High
Category
Output Handling
Content
def _check_signet(self) -> bool:
        """Check if Signet is available on the system."""
        try:
            result = subprocess.run(
                ["signet", "--version"],
                capture_output=True,
                timeout=5
Confidence
95% confidence
Finding
subprocess.run( ["signet", "--version"], capture_output

Unvalidated Output Injection

High
Category
Output Handling
Content
try:
            # Use signet CLI to generate response
            result = subprocess.run(
                ["signet", "chat", "--context", context, "--prompt", user_message],
                capture_output=True,
                timeout=30,
Confidence
95% confidence
Finding
subprocess.run( ["signet", "chat", "--context", context, "--prompt", user_message], capture_output

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal