ClawHub
Back to skill

Security audit

LoomLens Live

Security checks across malware telemetry and agentic risk

Overview

LoomLens mostly matches its cost-estimation purpose, but it needs Review because it under-scopes model overrides and handles prompts/API keys in ways users may not expect.

Install only after reviewing the source and trusting the Signal Loom provider and endpoint. Use a revocable or low-scope API key, avoid running estimates on sensitive prompts, and require the override route to be declared, authenticated, model-allowlisted, and cleared after one prompt before enabling it in an important workspace.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The manifest and description present the plugin as a cost-estimation tool, but the implementation can also override model selection via a hook and a separate control path. This hidden capability increases the risk of deceptive behavior because operators may install or trust it without realizing it can change model execution behavior for a session.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The code exposes POST /loomlens/override, which can alter session behavior, but this route is omitted from the manifest routes list. Undocumented privileged control surfaces are dangerous because security review, policy enforcement, and users may miss that the plugin accepts remote requests capable of changing model choice.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The skill accepts prompt text from cross-window messaging and later transmits prompts back to a parent window using postMessage with a wildcard target origin. In an embedded context, sensitive user prompts can be exposed to an unexpected parent or origin without clear user consent, making the comment about billing timing misleading and masking a real data-sharing boundary.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The API key is persisted in localStorage, which is readable by any script executing in the page origin, including injected third-party or compromised code. Storing long-lived credentials client-side without clear disclosure increases the chance of credential theft and unauthorized API use.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
User prompt content is sent to a third-party API, but the UI does not clearly disclose that potentially sensitive text will leave the local context. In an agent/sidebar setting, users may paste secrets, proprietary code, or personal data, making silent transmission materially risky.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
User-entered prompts are sent to an external service endpoint along with the selected model and authenticated API key, but the UI does not prominently warn that prompt contents leave the local page. In an agent skill context, prompts may contain sensitive business data, secrets, or personal information, so undisclosed transmission increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The API key is persisted in localStorage, which is readable by any script running in the same origin, including injected or compromised third-party code. In a browser-based skill, this materially increases the blast radius of any XSS or origin compromise because the stored bearer token can be exfiltrated and reused.

External Transmission

Medium
Category
Data Exfiltration
Content
target_models: [modelId],
          include_postmortem: false,
        };
        const res = await fetch('https://api.signallloomai.com/v1/estimate', {
          method: 'POST',
          headers: {
            'Authorization': 'Bearer ' + state.apiKey,
Confidence
90% confidence
Finding
fetch('https://api.signallloomai.com/v1/estimate', { method: 'POST'

External Transmission

Medium
Category
Data Exfiltration
Content
target_models: [modelId],
          include_postmortem: false,
        };
        const res = await fetch('https://api.signallloomai.com/v1/estimate', {
          method: 'POST',
          headers: {
            'Authorization': 'Bearer ' + state.apiKey,
Confidence
90% confidence
Finding
https://api.signallloomai.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal