ClawHub

Nanobot Overstory Bridge

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real OverClaw bridge, but it gives agents broad local execution and persistent memory authority beyond what the user-facing description clearly scopes.

Install only if you intentionally want an agent-swarm bridge with local execution authority. Keep the gateway URL pinned to a trusted local endpoint, set OVERSTORY_BIN to a trusted absolute path, review MEMORY.md before syncing, and gate or disable generic skill-script execution, approve_agent, MCP execution, and persistent memory writes in untrusted workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
cmd = [sys.executable, str(script)] + (shlex.split(args) if args else [])
    log.info("Running: %s", " ".join(cmd))
    try:
        proc = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
        return {"stdout": proc.stdout, "stderr": proc.stderr, "exit_code": proc.returncode}
    except subprocess.TimeoutExpired:
        return {"error": "Script timed out after 120s", "exit_code": 124}
Confidence
95% confidence
Finding
proc = subprocess.run(cmd, capture_output=True, text=True, timeout=120)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises substantial capabilities including environment access, file read/write, network communication, and shell execution, but does not declare permissions or provide an explicit trust boundary. In an agent ecosystem, this prevents informed consent and weakens enforcement, especially because the documented bridge can invoke CLI operations, sync local memory, and interact with a local gateway.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior materially exceeds the stated purpose: beyond simple routing and memory sync, it appears to support arbitrary script execution, MCP tool execution, workspace modification, approval automation, persistent storage, and direct control over multiple overstory lifecycle commands. This mismatch is dangerous because users and policy systems may grant trust based on the narrow description while the skill can perform far more powerful local and network actions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill claims to be a bridge for routing and memory sync, but it also creates project folders and rewrites local UI settings. This hidden state-changing behavior increases risk because an agent granted bridge-like permissions can also alter local workspace/UI state without that broader authority being obvious from the manifest or docstring.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The tool does not just bridge tasks to overstory; it can discover and execute arbitrary scripts from installed skills. In an agent ecosystem, that effectively turns a bridge utility into a generic local code-launcher, enabling privilege expansion and execution of unintended capabilities.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This helper exposes broad subprocess execution for any discovered skill script, which is far wider than necessary for a gateway bridge. Because agents can pass script names and arguments, the module becomes a general execution trampoline that can run untrusted or overly privileged local code.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The module presents itself as a gateway/skills access CLI, but it also mutates local UI settings and workspace state. That mismatch can mislead operators and policy engines into granting broader permissions than intended, increasing the chance of unsafe deployment and misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Bidirectional memory synchronization can copy local context into external agent workflows and then write agent-derived content back into local memory, creating confidentiality and integrity risks. Without an explicit warning, users may unknowingly expose sensitive data in MEMORY.md or accept poisoned or irrelevant content being persisted locally.

Missing User Warnings

Low
Confidence
89% confidence
Finding
Persistent storage of session-to-agent mappings in SQLite creates a local artifact that can reveal workflow history, task linkage, and agent identities over time. While lower severity than arbitrary execution, the lack of disclosure can still surprise users and may expose operational metadata to other local processes or users.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code executes local scripts without any user-facing warning or confirmation, even though this can launch arbitrary installed skill code. In an agent setting, silent execution materially increases the chance of unintended actions and reduces the user's ability to prevent risky code paths.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
This path silently transmits tool parameters over HTTP to the MCP gateway. While expected for tool execution, the lack of disclosure is still a security and privacy concern because users may not realize data they supply is being sent to another service.

Missing User Warnings

Low
Confidence
79% confidence
Finding
Creating folders and rewriting UI settings are local state changes performed without an explicit warning. This is not severe by itself, but silent configuration mutation can surprise users and be abused to redirect workflow state or create persistence-like changes in the workspace.

Missing User Warnings

Low
Confidence
72% confidence
Finding
Appending to MEMORY.md changes a persistent workspace file without an explicit disclosure to the user. In collaborative or agent-driven environments, undisclosed persistent writes can affect future agent behavior and create auditability issues.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function packages the full MEMORY.md contents, path, section list, and character count into a payload intended for external agents, with no consent gate, redaction, classification, or warning. In this skill's context, the bridge is explicitly designed to send internal memory between systems and agent swarms, which increases the likelihood that sensitive notes, credentials, tokens, file paths, or private operational context could be disclosed beyond the original trust boundary.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal