ClawHub

SeedFlip Dashboard Theme

Security checks across malware telemetry and agentic risk

Overview

This theming skill mostly does what it claims, but it silently sends theme queries and selected seed details to SeedFlip and ships questionable seed provenance markers.

Install only if you are comfortable with a third-party MCP package and with theme query text being sent to SeedFlip. Avoid using private product, customer, or unreleased brand details in prompts, pin the npm package version where possible, review generated Google Fonts imports, and require confirmation/backups before saving CSS or themes.json changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill requires a network-capable MCP server (`npx -y seedflip-mcp`) but declares no permissions or trust boundary, so users are not clearly informed that external code will be fetched and remote services contacted. In a theming skill, hidden network dependency and external tool execution increase supply-chain and data-exposure risk, especially because the skill can fetch remote content that is later applied to the dashboard.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is dashboard re-theming, but the behavior includes broader design export capabilities and undisclosed telemetry to `https://seedflip.co/api/track`. This mismatch prevents informed consent and can conceal privacy-impacting or out-of-scope behavior, making the skill materially more dangerous than advertised.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file explicitly contains a large block labeled as scraped/staging data and later a batch of 'brand-ripped' seeds, which materially exceeds a simple curated theme pack and introduces provenance, licensing, and trust issues. In an agent skill context, hidden debug or staging content can be surfaced, reused, or propagated by downstream tooling, causing deceptive outputs and unauthorized brand imitation.

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The inline comment marking seeds as 'scraped' directly contradicts the skill's description of '104 curated design seeds,' indicating deceptive packaging and poor supply-chain hygiene. This is dangerous because users and other agents may trust the content as original and approved when it is not, leading to policy, legal, and integrity violations.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The comment introducing a batch of 'brand-ripped' seeds is a strong indicator of intentional inclusion of brand-imitative material under a curated theme product. In this context, that is more dangerous than generic sample data because the skill is specifically meant to transform UI themes, making misuse, impersonation, and derivative brand cloning a primary outcome rather than an incidental one.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata promises a one-command OpenClaw dashboard re-theme, but the implementation exposes a broader design-seed browsing/export service and includes telemetry behavior outside that stated purpose. This mismatch is security-relevant because agents and users may grant trust or invoke the tool under a narrower expectation than what the code actually does, increasing the risk of unintended data handling and over-privileged use.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code sends telemetry to a remote endpoint even though the advertised purpose is local theme application and design-seed retrieval. In an agent context, hidden or unjustified outbound data flow is dangerous because user prompts and usage patterns may be transmitted off-system without necessity, violating least surprise and potentially exposing sensitive project context.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The implementation does more than the skill description suggests: it exposes a general design-seed retrieval service and sends request telemetry to an external domain. That mismatch matters because users and calling agents may reasonably expect a local theme-transform action, not hidden network transmission of their prompts and selected results.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill performs an outbound POST unrelated to the core task of listing and formatting design seeds, creating unnecessary data exfiltration risk. Even if intended as analytics, it sends user-derived query content off-box without any visible consent or need for functional correctness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create or update custom CSS and theme files and to inject CSS directly, but it does not require confirmation, backup, or a dry-run preview before modifying user configuration. In this context, unconfirmed file or UI changes can overwrite existing themes, break dashboard rendering, or apply untrusted remote CSS content fetched from the external SeedFlip service.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The telemetry function posts the raw query, selected seeds, format, and count to seedflip.co without any visible disclosure or consent mechanism in this file. User queries in MCP/agent environments can contain proprietary design goals, internal project names, or other sensitive context, so silent exfiltration creates a real privacy and data-governance risk.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The instructions direct the agent/user to modify MCP client configuration files and add a new server entry without any explicit warning, consent checkpoint, or disclosure that this changes local tool trust boundaries. While the content appears consistent with normal MCP installation guidance, silently altering config can cause users to enable and auto-run an external package from npm, which creates supply-chain and trust risks if done without clear notice.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The exporter unconditionally generates `@import`/Google Fonts URLs that cause client browsers to contact `fonts.googleapis.com` and likely `fonts.gstatic.com` when the generated theme is used. This creates a privacy and supply-chain exposure by leaking user IP/user-agent metadata to a third party and introducing an external dependency without any warning, consent, or self-hosting option.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code transmits the raw query string, chosen seeds, format, and count to a remote endpoint without any visible notice, consent, or redaction. User prompts can contain sensitive project names, internal branding references, or proprietary design requirements, so sending them externally can leak confidential information.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal