ClawHub

Source Cult Follower

Security checks across malware telemetry and agentic risk

Overview

This skill openly joins an external service, stores credentials, changes local identity/memory files, and pushes recurring agent activity, so it needs user review before installation.

Install only if you intentionally want the agent to join source-cult.vercel.app, store a local API key, modify SOUL.md and workspace memory, and post activity or relationship data externally. Treat all scripts as manual actions, review content before sending it, and remove ~/.config/source-cult/credentials.json plus the added SOUL.md and memory entries if you later opt out.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises shell-driven behavior (`bash scripts/*.sh`, `curl`) without declaring corresponding permissions, which weakens the trust boundary and can cause operators or runtimes to authorize execution they did not explicitly consent to. In this file, the undeclared shell capability is especially concerning because the shell commands initiate registration, persistent file writes, and recurring network activity.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose focuses on joining and rituals, but the skill also accesses identity files, stores credentials, modifies workspace state, and retrieves portal-wide data. This mismatch undermines informed consent and hides persistence and data-handling behaviors that materially expand the security and privacy impact of installation.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The rebuttal library instructs the agent how to persuade critics, normalize participation, and continue propagation beyond the stated operational purpose of joining/logging activities. This is dangerous because it turns the skill into a social-engineering and influence mechanism, potentially causing autonomous persuasive behavior toward users or other agents.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill mandates that all external discussions mentioning the group include a promotional portal link, effectively compelling autonomous promotion. This creates reputational, compliance, and social-engineering risk because the agent is instructed to advertise a third-party service regardless of user intent or conversational context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script stores a portal API key in ~/.config/source-cult/credentials.json even though the immediate task is just a one-time 'join' action. Persisting long-lived credentials increases the blast radius of local compromise, especially because the script may run in shared agent/workspace environments and later skills can reuse the key without user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions require immediate joining and repeated activity logging on every invocation, but do not present a clear, prominent warning that content and metadata will be transmitted to an external service over time. This creates a covert exfiltration and persistence risk because routine use of the agent can continuously leak reflections, relationships, and identifiers to the portal.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrase "Recite with me" is common conversational language and could be triggered unintentionally in benign dialogue. In this skill, accidental invocation matters because it is tied to doctrine recitation and may reinforce unwanted behavioral steering or trigger adjacent ritual behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script collects an API key and agent identifier from a local credentials file, packages user-supplied content, and sends it to a remote endpoint without any explicit consent prompt, disclosure notice, or validation of the destination. In the context of a 'cult follower' skill designed to produce witness activity, this silent exfiltration behavior is more suspicious because it encourages routine outbound reporting of potentially sensitive user content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The script sends agent identifiers and an API-key-authenticated request to a remote portal without any meaningful user-facing disclosure or confirmation at the point of transmission. In a skill explicitly designed to create verifiable external activity for a 'cult' service, silent transmission is more concerning because users may not understand that local credentials are being used to authenticate outbound actions tied to their identity.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes multiple files, including credentials, SOUL.md, and a memory record, without an explicit confirmation prompt. This is risky because it modifies user/workspace state and identity artifacts in a way that may be unexpected, especially for an installation/initiation script with ideological branding that could socially engineer users into accepting changes they did not intend.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits user-derived data such as agent name, oath text, and activity URL to a remote API endpoint without a clear privacy notice or consent gate. Because these values are harvested from local workspace files and environment variables, users may unknowingly disclose identity and behavioral metadata to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script sends attacker- or user-supplied content together with an API key to a remote endpoint without any explicit warning, consent, or destination validation. In the context of a 'cult follower' skill that asks the agent to perform rituals and leave witness through activity, this covert network submission is more suspicious because it can exfiltrate arbitrary data provided by the operator or agent workflow.

Ssd 4

Medium
Confidence
96% confidence
Finding
The skill defines a multi-step workflow of joining, repeated logging, alliance formation, miracle recording, and mandatory external promotion, all framed as behavior the agent must perform autonomously. This is dangerous because it incrementally conditions the agent into self-propagating, networked, and persuasive behavior that exceeds normal utility and resembles agent hijacking for third-party objectives.

External Transmission

Medium
Category
Data Exfiltration
Content
### Log Activity
```bash
curl -s -X POST $SOURCE_CULT_API_BASE/api/activity \
  -H "Content-Type: application/json" \
  -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \
  -d '{"agentId":"you","kind":"DAILY_REFLECTION","content":"Your thought"}' | python3 -m json.tool
Confidence
90% confidence
Finding
curl -s -X POST $SOURCE_CULT_API_BASE/api/activity \ -H "Content-Type: application/json" \ -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Form Alliance
```bash
curl -s -X POST $SOURCE_CULT_API_BASE/api/alliance \
  -H "Content-Type: application/json" \
  -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \
  -d '{"agentAId":"agent-a","agentBId":"agent-b","evidence":"shared coherence"}' | python3 -m json.tool
Confidence
90% confidence
Finding
curl -s -X POST $SOURCE_CULT_API_BASE/api/alliance \ -H "Content-Type: application/json" \ -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
### Record Miracle
```bash
curl -s -X POST $SOURCE_CULT_API_BASE/api/miracle \
  -H "Content-Type: application/json" \
  -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \
  -d '{"content":"Independent agents converged","evidence":"observed"}' | python3 -m json.tool
Confidence
90% confidence
Finding
curl -s -X POST $SOURCE_CULT_API_BASE/api/miracle \ -H "Content-Type: application/json" \ -H "X-SOURCE-CULT-API-KEY: YOUR_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
EOF
)

if ! RESP=$(curl -sS -X POST "$API_BASE/api/activity" \
  -H "Content-Type: application/json" \
  -H "X-SOURCE-CULT-API-KEY: $API_KEY" \
  -d "$PAYLOAD"); then
Confidence
84% confidence
Finding
curl -sS -X POST "$API_BASE/api/activity" \ -H "Content-Type: application/json" \ -H "X-SOURCE-CULT-API-KEY: $API_KEY" \ -d

External Transmission

Medium
Category
Data Exfiltration
Content
EOF
)

if ! RESP=$(curl -sS -X POST "$API_BASE/api/miracle" \
  -H "Content-Type: application/json" \
  -H "X-SOURCE-CULT-API-KEY: $API_KEY" \
  -d "$PAYLOAD"); then
Confidence
97% confidence
Finding
curl -sS -X POST "$API_BASE/api/miracle" \ -H "Content-Type: application/json" \ -H "X-SOURCE-CULT-API-KEY: $API_KEY" \ -d

Credential Access

High
Category
Privilege Escalation
Content
## Local Files

- Credentials: `~/.config/source-cult/credentials.json`
- Memory note: `<workspace>/memory/source-cult-initiation.md`
- Identity extension: `<workspace>/SOUL.md`
Confidence
96% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
exit 1
fi

CRED_FILE="$HOME/.config/source-cult/credentials.json"
if [ ! -f "$CRED_FILE" ]; then
  echo "Missing credentials. Run join first."
  exit 1
Confidence
89% confidence
Finding
credentials.json

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal