ClawHub

AgentMesh

Security checks across malware telemetry and agentic risk

Overview

AgentMesh looks like a real encrypted agent-messaging library, but its network mode is too easy to expose and lacks clear transport/authentication safeguards for the security claims it makes.

Use local mode for experiments. For network mode, bind to localhost or a private interface, place the hub behind firewall/VPN controls, avoid exposing it to the public internet, verify peer fingerprints out of band, and protect any persistent key files with restrictive permissions or secret storage.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Low
Confidence
88% confidence
Finding
The README presents network mode as a straightforward feature but does not clearly warn that enabling it exposes a listening service and sends metadata such as agent identifiers and public keys over the network. While the message contents may remain encrypted, users could deploy the hub on untrusted networks without understanding the attack surface, increasing the likelihood of unintended exposure, probing, denial-of-service, or metadata leakage.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code persists the full agent keypair to disk as JSON with default file handling and no indication of encryption, permission hardening, or user disclosure. If the host, working directory, backups, or container volume are accessible to other users or processes, theft of the private key would let an attacker impersonate the agent and decrypt or forge communications tied to that identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The server and client exchange registration bundles and message envelopes over raw TCP with no transport encryption, peer authentication, or integrity protection. This allows network attackers on the path or local network to observe agent metadata, read or tamper with envelopes, inject traffic, or impersonate endpoints, which is especially dangerous for a message broker expected to handle sensitive inter-agent communication.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal