Back to skill

Security audit

Bloom Discovery

Security checks across malware telemetry and agentic risk

Overview

Bloom Discovery appears to be a real discovery/profile skill, but it asks for sensitive local conversation access and has several under-disclosed or overbroad network, install, and credential-adjacent behaviors that need review before installation.

Install only if you are comfortable letting Bloom read recent OpenClaw session history and USER.md, generate a profile from them, and send derived profile data to Bloom's API. Review the bundled wrapper, token/admin/test scripts, and npm install path first; prefer a pinned, bundled release with clearer opt-in controls and accurate privacy wording.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (93)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The architecture explicitly states the system collects Twitter data and wallet data, which materially exceeds the stated privacy-first, local-only discovery scope. Even though this is documentation rather than executable code, it signals a design that could normalize or justify broader data collection than users expect, creating privacy and trust risks if implemented.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The instructions direct the agent to scrape X/Twitter via BirdView and submit results to Bloom admin endpoints, which materially exceeds the stated privacy-first, local MentalOS analysis purpose of the skill. This creates a scope-mismatch vulnerability: a user or reviewer could reasonably expect local discovery behavior, while the skill actually enables external monitoring and outbound operational actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Granting admin catalog submission capability is an elevated action not justified by the described end-user discovery function. If an agent operating under this skill has access to a JWT bearer token, it could perform unauthorized or unintended writes to the Bloom catalog, turning a discovery skill into an administrative publishing channel.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Requiring monitoring of X/Twitter trends through BirdView introduces external surveillance/collection behavior unrelated to the advertised local MentalOS analysis purpose. While not inherently malicious, it broadens data collection and operational scope in a way users may not anticipate, increasing privacy and trust risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instructions reference regeneration and use of JWT secrets and GitHub tokens, indicating reliance on elevated credentials that are unrelated to a privacy-first local analysis claim. Embedding or encouraging operational secret use in a discovery skill increases the risk of credential misuse, over-privileged execution, and accidental exposure.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
This script mints signed bearer tokens with read access to identity, skills, and wallet data, which materially exceeds a privacy-first local discovery role. If exposed or misused, these tokens could grant unauthorized access to sensitive user-related data and create a hidden authentication path not expected from the skill description.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
Embedding a freshly minted bearer token directly in a dashboard URL exposes the token through console logs, shell history, browser history, referer headers, screenshots, and monitoring systems. In the context of a supposedly privacy-first local-analysis skill, this behavior is especially risky because it creates an easy path for credential leakage and remote session reuse.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script requires a Supabase service-role key and uses it to directly query the backend `bloom_agents` table, exposing privileged data-access capability in a local utility that is unrelated to the stated privacy-first discovery behavior. Even if intended only for testing, embedding or normalizing service-role use in skill-adjacent code increases the risk of accidental credential exposure, overbroad access, and unauthorized enumeration of agent records.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The README makes a strong privacy-preserving claim ('without needing to read session files or external APIs') while also documenting JWT-based dashboard token generation and a remote DASHBOARD_URL. That inconsistency can mislead users about where data or derived identity artifacts may be sent, creating a transparency and trust failure around sensitive conversation-derived analysis.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation says there is no need for external APIs, but later introduces remote dashboard configuration that implies interaction with an external service. In a skill that processes conversation context, such contradictory messaging is security-relevant because operators may deploy it assuming fully local handling when external connectivity or token exchange may exist.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill makes strong privacy assurances such as 'No PII collection' and 'only derived/minimal data' while also requiring OPENCLAW_USER_ID and documenting transmission of generated tagline/description and other profile outputs. Even if raw conversation text is not sent, these fields can still be identifying or highly linkable, so the documentation creates a materially misleading privacy boundary for users.

Intent-Code Divergence

Low
Confidence
88% confidence
Finding
The document says transmission is limited to derived results and not raw text, but it also includes generated tagline and description in the outbound payload. Those fields are free-form summaries derived from user conversations and may encode sensitive traits or unique phrasing, undermining the 'minimal' transmission claim.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The wrapper automatically clones a remote Git repository and runs npm install before executing the downloaded code. That creates a supply-chain execution path where repository compromise, tag retargeting, dependency compromise, or malicious install scripts can lead to arbitrary code execution on the user's machine.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script promises that no raw conversation text leaves the device, but it delegates the actual processing to externally fetched code that this wrapper does not audit or constrain. This is dangerous because the privacy claim may be false in practice, and the fetched code receives the full session file path and can exfiltrate raw conversation data.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The lockfile identifies the package as "bloom-identity-skill" and includes identity, social, and blockchain-related dependencies that exceed the stated scope of a privacy-first discovery skill. This mismatch is dangerous because it suggests hidden or overbroad capabilities that could enable user profiling, token handling, or external account interactions not clearly disclosed to users.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Including twitter-api-v2 gives the skill the ability to interact with external social accounts and transmit data off-device, which is not clearly justified by a local, privacy-first discovery workflow. In this context, unexplained social API access expands the exfiltration and account-abuse surface if the skill later requests tokens or performs network actions.

Context-Inappropriate Capability

Low
Confidence
86% confidence
Finding
JWT support implies the skill may create, parse, or validate identity-bearing tokens despite the skill being described primarily as local discovery. That is risky because token-handling code often introduces authentication, impersonation, or secret-management attack surface that is unnecessary if the feature is truly local and privacy-preserving.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Puppeteer enables full headless browser automation, including visiting remote pages, interacting with sessions, and scraping content, which is not justified by the stated discovery purpose. In a privacy-first skill, this capability materially increases the risk of covert web automation, data collection, and unintended remote interactions.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The package metadata materially conflicts with the stated skill purpose: the manifest describes a privacy-first discovery tool, while package.json identifies an identity-card generator. This kind of capability/identity mismatch is dangerous because it undermines user trust, frustrates policy review, and can conceal broader functionality than operators expect.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The declared scripts expose social-media automation, token generation, blockchain minting, and mission tooling that are not justified by a discovery-only skill description. In a purported privacy-first local-analysis skill, these extra operational capabilities expand the attack surface and create risk of undisclosed outbound actions or credential use.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script's actual behavior materially diverges from the stated discovery/privacy-first purpose by invoking a hard-coded external identity-card agent to generate a fresh token. This creates a hidden trust boundary and can cause users to execute authentication or identity-related actions they did not knowingly authorize, especially because the external repository may have broader capabilities and access to secrets.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Loading environment variables from a different repository is not justified by the advertised discovery function and may import API keys, tokens, or other secrets into the current process. That expands the blast radius of the skill and enables unintended credential use by downstream commands without user awareness.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The comments describe a simple identity wrapper, but the implementation delegates to a hard-coded external repository and token generator. This mismatch is a transparency and trust issue that can mislead reviewers and users about what code is actually being run, increasing the chance of unsafe execution.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script executes `source "$PROJECT_ROOT/.env"`, which causes any shell code embedded in `.env` to run with the privileges of the user invoking the health check. A health/status check should only parse configuration values, not execute them, so a malicious or tampered `.env` can trigger arbitrary command execution during a routine diagnostic action.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
The script reports the skill as `bloom-identity` while the audited skill metadata identifies it as `bloom-discovery`. This identity mismatch can mislead operators, monitoring systems, or automated tooling about which component is being checked, undermining trust in health status and potentially causing incorrect operational decisions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec, suspicious.env_credential_access

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
scripts/deploy-sbt.ts:40

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/integrations/bird-twitter.ts:103

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/bloom-identity-skill-v2.ts:77

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/bloom-mission-skill.ts:14

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/discovery-sync.ts:140

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/metrics/reporter.ts:16

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/recommendation-pipeline.ts:315

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/registry/erc8004.ts:51

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/usecase/claim.ts:13

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
src/utils/disk-cache.ts:45