ClawHub

CompoundMind

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent memory-indexing purpose, but it stores and ships sensitive secrets and operational details in plaintext searchable memory.

Install only after removing the bundled experience data, rotating any exposed credentials, and adding secret redaction before indexing. Treat the skill as a local memory database: limit the memory directory, avoid cron until reviewed, use --llm only when you are comfortable sending selected memory excerpts to Anthropic, and do not store wallet keys, API tokens, credential paths, or account data in its memories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The optional LLM path sends the user's task plus accumulated indexed memory entries to Anthropic for synthesis. That creates a real data-exfiltration/privacy risk because prior memory may contain sensitive operational, personal, or credential-adjacent context, and the feature is enabled without strong minimization, redaction, or a just-in-time disclosure beyond a CLI flag.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The code reads API credentials from environment variables and uses them to make third-party API calls for a convenience feature. While using env vars for secrets is normal, in this context it supports remote transmission of accumulated memory outside the skill's core local indexing behavior, increasing privacy and trust-boundary risk.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This record includes operational security details such as VPS hardening actions, a caught source IP, bot administration state, service names, deployment details, and bot-token-related lessons that go beyond a distilled learning summary. In a searchable long-term memory system, these details can help an attacker map infrastructure, identify communication/control channels, and target misconfigurations or operational weaknesses.

Description-Behavior Mismatch

Medium
Confidence
99% confidence
Finding
The experience entry stores specific wallet addresses, proxy-wallet linkage, and transaction/integration details for trading operations instead of abstracted lessons. Exposing searchable financial identifiers and signing/funder parameters can enable deanonymization, targeted phishing, transaction monitoring, and abuse of account-specific trading workflows.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
This experience record stores operational deployment state, social automation rollout notes, and implementation details that go beyond a simple distilled memory/index. In a long-term memory store, this increases the chance that future agents can retrieve and act on sensitive operational instructions or automation tactics outside their intended scope.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file stores direct deployment URLs, build artifacts, versioning details, and distribution facts unrelated to the stated distillation purpose. Persisting live download links and build/distribution metadata in an experience index broadens exposure of internal operational assets and can enable unauthorized discovery, scraping, or misuse of deployment endpoints.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This distilled experience file stores raw secrets, including API credentials and sensitive credential file paths, inside a long-term memory artifact whose stated purpose is pattern extraction and learning. Persisting operational secrets in a searchable experience index greatly increases the blast radius of any prompt injection, indexing leak, backup exposure, or unintended retrieval by other agents.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The experience index includes an additional raw API key and financial/account data that are unrelated to the minimum information needed for experience distillation. This makes the memory store a secondary secrets database and exposes sensitive operational and financial context to any component that can search or summarize prior experiences.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The record states that some credentials were redacted, yet the same file contains unredacted secrets elsewhere. This inconsistency creates a false sense of safety, suggesting the sanitization process is unreliable and likely to miss sensitive material in adjacent sections or future records.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This experience record stores sensitive operational metadata that is not necessary for a distilled memory index, including API credential status messages and a wallet balance. Even without raw secrets, this information can help an attacker profile the environment, identify degraded defenses or service dependencies, and target financially relevant assets.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The experience store includes operational advice that proxy rotation is essential for scaling and preventing bot detection, which is unrelated to a memory-distillation skill and can preserve tactics associated with evasion. In a long-term memory system, this kind of content can be surfaced later as reusable guidance, increasing the chance an agent adopts or recommends abusive automation behavior.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The stored lesson endorses competitive intelligence through reverse engineering and specifically references leaked prompts as useful industry intelligence. That is outside the justified scope of a memory-distillation engine and normalizes potentially unethical or unauthorized acquisition of proprietary information.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The distilled facts record a concrete JWT token storage location under /root, which is sensitive credential-handling information and not necessary for the stated memory-distillation purpose. Persistent storage of credential locations materially increases the risk of later credential discovery, targeting, or misuse by downstream agents or users with access to the experience data.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The code hard-codes named individuals and later extracts sentences about their preferences, instructions, and relationship context into persisted records. That goes beyond generic experience distillation and creates durable profiling of people, which increases privacy risk and can expose sensitive interpersonal or operational information if the output is accessed or reused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The fact extraction patterns are explicitly designed to capture secret-like material such as API keys, tokens, wallet addresses, endpoints, ports, and config paths from memory files and then persist them. In a memory-distillation context this is dangerous because it turns transient sensitive content into a searchable structured archive, expanding exposure and making credential leakage or infrastructure targeting easier.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script writes per-file JSON archives containing raw extracted relationship and fact content rather than only high-level summaries. Persisting detailed source-derived data broadens the data footprint and preserves sensitive operational and personal details that the skill description does not clearly justify.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The optional LLM reporting path transmits synthesized internal experience data, including lessons, mistakes, and domain summaries, to Anthropic's external API. Even though this is framed as a feature and requires an environment variable plus the --llm flag, it still creates a real data exfiltration channel beyond the local growth-tracking purpose described by the skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes extracting sensitive memory content including relationships, wallet addresses, config values, and other facts, and states that Claude Haiku is used for distillation/briefing, but it does not clearly warn users that such data may be transmitted to a third-party model provider and stored locally. This creates a meaningful privacy and secret-handling risk because users may unknowingly expose confidential personal, operational, or financial data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The LLM request includes both the current task and retrieved wisdom text, but the user receives no just-in-time notice describing what specific data will leave the machine. In a memory/distillation skill, that omission is significant because the indexed content can be highly sensitive and context-rich.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The tool saves a markdown brief containing the user task and synthesized memory-derived content to disk by default, but does not clearly warn that this creates persistent local artifacts. This can expose sensitive tasks or historical context to other local users, backups, or later accidental disclosure.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The manifest description is highly promotional and vague ('Makes agents permanently smarter') without clear boundaries on when the skill should run or what data it will process. In a memory-processing skill with indexing, briefing, and automation hooks, this ambiguity can lead users or orchestrators to invoke it broadly and grant it access to sensitive historical data without informed scoping.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The manifest requires an ANTHROPIC_API_KEY, strongly implying external API use, but provides no user-facing warning that memory logs or derived summaries may be transmitted off-host. Given this skill's purpose of distilling persistent memory and generating briefings, the omitted disclosure creates a real privacy and data-governance risk if sensitive historical content is sent to a third party.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The content explicitly recommends randomizing posting times to avoid bot-detection flags, which is guidance for evading platform abuse controls. In an agent memory system, retaining and reinforcing this lesson can cause future automated behavior to become stealthier and more policy-violating over time.

Natural-Language Policy Violations

Critical
Confidence
100% confidence
Finding
Plaintext disclosure of an API Key ID and API Secret is a direct credential leak. In the context of a memory/learning skill, this is especially dangerous because the secrets are intentionally preserved for future retrieval, making accidental reuse, exfiltration, or abuse by other agents significantly more likely.

Natural-Language Policy Violations

Critical
Confidence
100% confidence
Finding
This line exposes another API key in plaintext, providing direct unauthorized access if the underlying service accepts the token. Because the skill is designed to accumulate and surface prior experiences, embedding live keys in its memory increases the likelihood of disclosure through normal retrieval workflows.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal