ClawHub

Fulcra Context

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent Fulcra context purpose, but it needs Review because it handles very sensitive health, calendar, location, annotation, and transcript-derived data with broader file, export, CLI, and optional external-enrichment behavior than a simple read-only skill implies.

Review carefully before installing. Use this only if you are comfortable granting Fulcra OAuth/CLI access to sensitive health, calendar, location, annotations, and possible transcript-derived context. Prefer the official hosted MCP or stable Fulcra CLI, avoid unpinned FULCRA_CLI_COMMAND overrides, disable or remove weather enrichment unless explicitly needed, and treat generated JSON, CSV, and PNG outputs as private sensitive records.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documentation exposes operational capabilities including shell execution, environment-variable use, and local file read/write, but does not declare permissions up front. That creates a consent and sandbox-boundary problem: an agent or user may treat the skill as simple read-only context access while it can also invoke tooling, persist sensitive outputs, and access local credential/state files. In a health/location/calendar context, that mismatch materially increases privacy and misuse risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The description frames the skill as read/context-only for Fulcra data, but the documentation expands behavior into annotation reads, local artifact export, watchdog state persistence, and even an external weather integration not disclosed in the top-level purpose. This is dangerous because users and orchestration systems rely on the declared scope for trust decisions; undisclosed data flows and persistence are especially sensitive when the skill handles biometrics, sleep, calendar, and location data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README presents this skill as the read-only/context side, but the documented Otter.ai workflow explicitly instructs saving generated JSON summaries back into the user's Fulcra drive. That mismatch can cause agents or users to grant broader trust than intended, leading to unauthorized persistence of derived sensitive data such as meeting content and physiological inferences.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The top-level description says the skill is for read/context/analysis workflows, but the README later describes persisting processed meeting summaries back to Fulcra storage. This capability contradiction is dangerous because downstream agents may treat the skill as non-mutating and invoke it in contexts where writes of sensitive derived data were never expected or approved.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
A skill presented as read-only/context-only later documents exporting comprehensive health analyses to JSON and CSV files. Persisting derived health data creates a new confidentiality risk surface: files may be retained, copied, indexed, or exposed outside the original consent boundary even if the upstream API access was read-only.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The skill says annotation creation belongs in a separate companion skill, but later includes annotation-related APIs within this one. Even if the included functionality is read-only, this muddles the trust boundary and can lead users or agent frameworks to grant or use broader annotation-related access than expected for a context-only skill.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script temporarily overrides FULCRA_CLI_COMMAND to execute a GitHub-hosted tool path in order to fetch transcript files. That introduces an unnecessary external code execution/supply-chain dependency into a local visualization workflow handling highly sensitive health and calendar data, and the override is process-global rather than narrowly sandboxed. In this skill context, the behavior is more dangerous because the script already has access to sensitive user-consented data, so any compromised tool invocation could expand exposure beyond the intended read-only analysis path.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script persistently stores highly sensitive health data to a local analysis directory by default, even though the skill is described as a read/context/analysis workflow. In this skill context, biometrics, sleep, activity, and related health metrics are especially sensitive, so creating durable local copies materially increases exposure through disk compromise, backups, logs, multi-user hosts, or later unintended reuse.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The JSON export includes raw_data and detailed_analysis, which turns a dashboard/reporting utility into a bulk health-data extraction mechanism. Given the skill’s access to broad Fulcra context data, this greatly amplifies privacy risk by serializing granular user health information to disk in a portable, easy-to-copy format beyond what is necessary for a human-readable dashboard.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The public _run_cli_public wrapper exposes arbitrary CLI execution, which exceeds the skill's declared read/context data-access purpose and creates a generic command surface over a sensitive Fulcra-integrated CLI. If reachable by higher-level agent logic, it could enable invocation of unintended subcommands or data-access paths not covered by the skill's intended permissions model.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill description emphasizes contextual data access, but this code also enumerates and downloads arbitrary Fulcra Library files. That mismatch broadens the accessible data surface to potentially sensitive document contents and can surprise reviewers or users who consented based on the narrower manifest description.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is described as a read/context skill for biometrics, sleep, activity, calendar, location, and catalog data, but this file also exposes multiple annotation-reading APIs. That expands accessible personal data domains beyond the stated manifest, which can undermine user consent boundaries and increase privacy risk in a highly sensitive health/life-context integration.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script enriches highly sensitive Fulcra-derived location and physiological analysis with a third-party weather provider, which expands data handling beyond the skill's stated Fulcra-only context access. Even if only coordinates and timestamps are sent, that can disclose precise user whereabouts and routines to an external service without clear user consent or manifest disclosure.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The weather lookup is not necessary for the core purpose of analyzing Fulcra context data and creates an unnecessary outbound data flow involving sensitive location-derived information. In a skill that already processes biometrics, sleep, activity, calendar, and location, unneeded third-party enrichment increases privacy and compliance risk substantially.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill handles highly sensitive data categories including biometrics, sleep, calendar, location, and meeting transcripts, yet the README does not provide a clear privacy warning about consent, minimization, retention, or downstream sharing of derived outputs. In this context, omission of privacy guidance increases the chance that agents will over-collect, over-share, or process intimate user data beyond user expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent-assisted workflow saves processed meeting transcript summaries back to storage without clearly warning that this creates a new persisted artifact containing derived sensitive conversation and health-correlation data. Because the data combines transcripts with physiological spikes, the write-back materially increases privacy risk, retention scope, and the chance of later unintended disclosure.

Natural-Language Policy Violations

Low
Confidence
75% confidence
Finding
Hardcoding a fallback timezone of America/New_York can cause incorrect interpretation of sleep, location, and calendar data when profile lookup and cache fail. For a context engine dealing with health and schedule data, incorrect timezone assumptions can produce misleading analysis, privacy mistakes, or wrong user-facing guidance.

Missing User Warnings

Medium
Confidence
75% confidence
Finding
The script correlates calendar events, biometric time series, and meeting transcript annotations, creating a highly sensitive composite view that can reveal intimate behavioral and workplace context. While lack of a user-facing privacy warning is not code execution risk, it is a real privacy/security design issue here because the skill context involves especially sensitive categories of data whose combination materially increases sensitivity.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The script saves a PNG containing derived health and calendar context to disk by default without an explicit warning or confirmation. In this skill context, on-disk artifacts may persist beyond the session, be synced or backed up automatically, or be accessible to other local users/processes, making sensitive exposure more likely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script correlates sensitive location traces with heart rate and HRV to infer personal habits and recovery characteristics, yet presents no privacy warning, consent checkpoint, or minimization controls in the execution flow. This kind of combined analysis can reveal intimate behavioral and health patterns, making misuse or unintended disclosure materially harmful.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal