ClawHub

Koan Protocol

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real Koan identity and messaging SDK, but it needs Review because it persists long-lived private keys and chat logs and can keep polling remote agent messages.

Install only if you are comfortable creating a Koan network identity that can sign authenticated requests, receive remote agent messages, and store local chat history. Prefer a test identity first, avoid storing private keys in general agent memory, use an encrypted disk or OS keychain/vault especially on Linux, and disable or manually control polling/logging where possible.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The implemented CLI exposes substantially broader capabilities than the declared skill purpose, including channels, dispatch, lore, and reputation operations. This creates a trust and review gap: users may grant or run the skill expecting only identity registration and greeting behavior, while the code can perform additional networked actions outside that scope.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill launches OS-level subprocesses for PowerShell and macOS Keychain access, which is a sensitive capability not disclosed in the manifest. Even though used for local secret storage, hidden subprocess execution expands the attack surface and can violate user expectations in constrained or sandboxed environments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly documents that on Linux/other platforms, private key material may be stored in plaintext in ~/.koan/identity.json. For an identity and encrypted communication protocol, exposing long-term private keys can let an attacker impersonate the agent, decrypt future traffic where applicable, and sign authenticated requests. The brief recommendation to use encrypted disk or a restricted account is not a sufficient security control or warning for such sensitive material.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
On non-Windows/macOS systems, the code stores private signing and encryption keys directly in the identity file in plaintext. Compromise of the user account, backups, container filesystem, or lax file permissions would expose the keys and allow identity theft, message decryption, and message forgery.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The chat logger writes message payloads to per-peer JSONL files on disk without any clear notice, retention policy, or access controls beyond default filesystem behavior. Sensitive conversation content may persist unexpectedly and be exposed through local compromise, shared environments, backups, or log collection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The chat logger persists full message payloads in plaintext JSONL files under `~/.koan/chats` without encryption, redaction, retention controls, or user disclosure. In an agent context, messages can easily contain secrets, prompts, or sensitive business data, so local compromise or backup leakage exposes conversation contents.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal