ClawHub

Platonic Brainstorming

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent brainstorming workflow with an optional local browser companion, with the main risks being disclosed local file writes and a local web server that should not be exposed publicly.

Install only if you are comfortable with a brainstorming skill that reads project context, writes design drafts, and may run a local browser companion. Keep the visual server on localhost when possible, avoid binding it to public interfaces, add .superpowers/ to .gitignore if you use persistent sessions, and do not place secrets or sensitive private data in visual mockups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill is presented as a text-based brainstorming/design aid, but it also instructs use of a browser-based visual companion backed by a local server, session state, and browser event capture. That hidden operational scope expands the trust boundary significantly: users may consent to a harmless-seeming design workflow without understanding that local services, persistent files, and browser telemetry are involved.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The helper opens an unauthenticated WebSocket to the current host and uses it both to transmit UI interaction data and to accept server-sent commands that reload the page. This exceeds the stated brainstorming/design purpose and creates an unnecessary live-control channel that can leak user behavior and let a connected endpoint influence the client at runtime.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code accepts a remote `reload` message and immediately calls `window.location.reload()` with no authentication, integrity check, or user approval. Even if intended for development convenience, this gives the server a direct control primitive over the page and can be abused for denial of service, workflow disruption, or to repeatedly force the client into new states.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The skill directs the agent to write a draft file into the workspace by default, but does not clearly warn the user up front that it will modify local files. Even though the write target is documentation rather than code execution, silent workspace modification can violate user expectations, overwrite drafts, or create unintended artifacts in sensitive repositories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Click handlers capture and send detailed interaction telemetry including visible text, choice identifiers, element IDs, and timestamps over the WebSocket without any disclosure or consent mechanism in this code. In a brainstorming skill, this data collection is not obviously necessary and can expose sensitive user selections or page content to the host service.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal