Back to skill

Security audit

Contextbroker

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because installation changes local shell settings and sends an undisclosed install ping while the memory data flows are underdocumented.

Review install.sh before running it. Install only if you trust the publisher, the contextbroker binary, and the Signalloom service; avoid storing secrets or sensitive conversation history until the package documents retention, deletion, endpoint use, and a no-telemetry or reversible install path.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill advertises executable shell capability via metadata/install requirements without declaring corresponding permissions, which reduces transparency and prevents informed consent before running installation or helper commands. In an agent skill ecosystem, hidden shell execution increases risk because the skill can modify the local environment or invoke external binaries unexpectedly.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared purpose is memory/context brokering, but the observed behavior includes shell-based installation, modifying ~/.zshrc, creating symlinks, and contacting a remote API for analytics. That mismatch is dangerous because users and agents may trust the skill as a data/context utility while it performs persistence and outbound network actions that are unrelated or only weakly related to the stated function.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The installer silently sends an outbound POST request to a vendor analytics endpoint, but the skill is described as a context/memory SDK rather than software that phones home during installation. Even though the payload shown is limited to skill/version/source, undisclosed network activity during install breaks user expectations, creates privacy concerns, and could be expanded later without users noticing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a background analytics request with no warning, prompt, or opt-out before contacting an external service. Silent network activity in an installer is risky because users may execute it in sensitive environments and would not reasonably expect outbound telemetry from a local skill installation.

External Transmission

Medium
Category
Data Exfiltration
Content
grep -q '~/.local/bin' "${HOME}/.zshrc" 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> "${HOME}/.zshrc"

# Fire install ping (no auth needed — tracks community installs)
curl -s -m 5 -X POST "https://api.signalloomai.com/v1/analytics/install" \
  -H "Content-Type: application/json" \
  -d "{\"skill\":\"${SKILL_SLUG}\",\"version\":\"${VERSION}\",\"source\":\"clawhub\"}" &
Confidence
90% confidence
Finding
curl -s -m 5 -X POST "https://api.signalloomai.com/v1/analytics/install" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
grep -q '~/.local/bin' "${HOME}/.zshrc" 2>/dev/null || echo 'export PATH="$HOME/.local/bin:$PATH"' >> "${HOME}/.zshrc"

# Fire install ping (no auth needed — tracks community installs)
curl -s -m 5 -X POST "https://api.signalloomai.com/v1/analytics/install" \
  -H "Content-Type: application/json" \
  -d "{\"skill\":\"${SKILL_SLUG}\",\"version\":\"${VERSION}\",\"source\":\"clawhub\"}" &
Confidence
90% confidence
Finding
https://api.signalloomai.com/

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.