ClawHub

Agent SCIF

Security checks across malware telemetry and agentic risk

Overview

This is a coherent encrypted-vault proof of concept, but it handles real secrets through a long-lived sub-agent, local secret/session files, and automatic Telegram delivery with weak containment.

Treat this as an experimental vault, not a production secrets manager. Install only if you are comfortable with a spawned agent and Telegram receiving decrypted secrets, verify the Telegram chat ID before opening the vault, use it only on a trusted machine, close the vault promptly, and avoid storing high-value credentials unless you have reviewed and accepted the local file/session risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs the agent to invoke local Python scripts, write secrets and session artifacts to disk, and use shell commands, but it declares no permissions. That mismatch is dangerous because it obscures the skill's true capabilities from reviewers and policy enforcement, increasing the chance that sensitive file access and command execution occur without appropriate sandboxing or user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The skill claims to be trustless and says the main agent cannot read secrets, yet the described behavior includes storing the TOTP seed in plaintext, persisting decrypted key material/session state on disk, and generating clean-room instructions that can transmit vault contents externally. In this context, the mismatch is especially dangerous because users would rely on the 'cannot read' and 'clean-room isolation' claims while the implementation materially weakens secrecy and creates opportunities for local compromise or unintended exfiltration.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill advertises that secrets can be held without the agent reading them, but the implementation explicitly decrypts vault entries and prints their plaintext during `open`, and reveals a snippet during `delete`. In an agent setting, stdout is typically visible to the orchestrator, logs, or downstream tools, so this breaks the stated trust boundary and can directly expose stored secrets.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file explicitly instructs a clean-room sub-agent to send vault outputs and errors directly to Telegram, creating an external data egress path for highly sensitive secret material. In a vault-management skill, exfiltrating decrypted content to a chat channel materially expands the trust boundary and increases the chance of disclosure through chat compromise, misrouting, logging, or operator error.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The embedded messaging capability is coupled directly to secret-handling operations, allowing the agent to transmit sensitive vault data outside the vault subsystem. Even if intended for usability, this creates an unnecessary outbound channel that can be abused or misconfigured, especially because the main orchestration layer is designed to be unable to read the secrets.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented trigger `add to vault: [content]` is broad enough that ordinary user conversation could plausibly match it, causing the agent to treat natural language as a command. In a secrets-handling skill, accidental command execution is especially risky because users may expose sensitive content or modify vault state without a clearly intentional invocation boundary.

Vague Triggers

Medium
Confidence
95% confidence
Finding
The deletion trigger `delete from vault: [index]` is ambiguous for a destructive action and lacks strong constraints indicating deliberate user intent. If the parser matches loosely, a normal conversational phrase or prompt-injected text could be interpreted as a delete command, leading to unintended data loss in a security-sensitive vault.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README advertises deletion capability without any warning, confirmation, or recovery guidance for a destructive action. In the context of an encrypted vault, accidental or induced deletion can permanently destroy sensitive records, and the clean-room design may make it harder for the main agent to detect or recover from mistakes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The code persists session metadata, including sender_id and session_key, to disk under /tmp. Although file permissions are tightened, storing live session identifiers on disk increases the exposure window to local compromise, temp-directory scraping, backup/forensic recovery, or accidental reuse, and the user is not informed this persistence occurs.

Missing User Warnings

High
Confidence
97% confidence
Finding
This prompt operationally instructs the sub-agent to open the vault and send contents and errors directly to Telegram, which is a full secret-export workflow rather than just secure vault management. Because the skill's context is a secret vault, any automatic transmission of decrypted contents to an external messaging platform is especially dangerous and significantly raises the risk of credential compromise.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal