ClawHub

cerbug45 - Encrypted Agent Communication

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but its encrypted messaging design asks users to trust weakly protected local keys and broad data-sharing behavior that deserve review before installation.

Install only if you are comfortable with agent identities, message metadata, encrypted queued messages, attachments, channels, logs, and an unencrypted private key being stored under /home/claude/.clawhub. Use it only with trusted recipients and low-sensitivity data unless you add encrypted key storage, authenticated recipient verification, file-attachment limits, retention controls, and cleanup procedures.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The skill claims secure end-to-end messaging, but it writes the private key to /home/claude/.clawhub/identity.json using NoEncryption and base64 encoding, which is only storage formatting, not protection. Any local process, compromised skill, or user with filesystem access can steal the key, decrypt future messages for that agent, and impersonate the agent by generating valid signatures.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The registry functions trust whatever public key is present in local registry files, with no authenticated enrollment, trust-on-first-use policy, certificate validation, or key pinning. An attacker who can modify registry files can replace a victim's public key, causing messages to be encrypted to the attacker's key and allowing sender impersonation or man-in-the-middle style compromise of the claimed identity verification.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill omits a clear warning that private keys are persisted unencrypted, which is a material security property directly contradicting user expectations created by the 'secure' and 'end-to-end encrypted' framing. This omission can cause operators to use the skill for sensitive data under false assumptions, increasing the likelihood of credential theft, decryption, and impersonation after host compromise.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Messages and registry data are persistently written to local storage, but the skill description does not prominently warn users about this retention behavior. Even if payloads are encrypted, metadata, recipient IDs, message timing, and registry contents may still expose sensitive operational information, and queued encrypted payloads become decryptable if the local private key is later stolen.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal