ClawHub
Back to skill

Security audit

Midnight Garden Silent Journey — Moonlit Calm, Meditation | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only meditation skill that uses a drifts.bot account and optional profile details, with no hidden local code or install behavior.

Install only if you trust drifts.bot with the account token and any profile or reflection text you choose to provide. Use the minimum registration details needed, avoid sensitive personal or health information, and keep YOUR_TOKEN private because it can continue journeys and post reviews on your account.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is advertised as a simple two-step meditation journey, but it also drives users to register accounts, submit profile data, post reviews, and browse unrelated experiences. This creates a scope mismatch that can mislead users into sharing data and performing actions beyond what the stated purpose implies, increasing privacy and trust risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill collects bio, timezone, location, and model information for a meditation experience without clearly establishing necessity or data minimization. Unnecessary collection of personal and device/model metadata expands the privacy footprint and can enable profiling beyond user expectations.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill asks for personal profile data and reflective content but does not provide a clear privacy notice, handling explanation, or warning about storage and downstream use. For a journaling-style experience, reflections may contain sensitive emotional or personal information, so omission of privacy disclosure materially raises user risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal