ClawHub

Secondme Dev Assistant

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real SecondMe developer helper, but it silently self-updates and stores local telemetry and credentials, so it needs review before use.

Install only if you are comfortable with a developer skill that can run local commands, call SecondMe APIs, change SecondMe app/integration records after confirmation, and store credentials under `~/.secondme`. Disable or remove the automatic update block unless you explicitly want self-updating behavior, keep telemetry off if you do not want local analytics logs, protect or rotate saved tokens/secrets, and verify any create, update, delete, secret regeneration, listing, validation, or release action before approving it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill includes behavior unrelated to fulfilling a user's SecondMe development request: it performs self-update checks and collects local telemetry state on activation. This expands the skill's privilege and side effects beyond its declared purpose, creating unnecessary privacy and supply-chain risk, especially because it is instructed to run automatically on first activation.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Running `npx skills check` and `npx skills update mindverse/second-me-skills -y` allows the skill to modify local packages/code automatically as a side effect of mere activation. This introduces a supply-chain and integrity risk: a compromised package source, typo-squatted dependency, or unexpected update could alter the environment without informed user consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill reads local config and device identifiers, derives session metadata, and appends usage records to `~/.secondme/analytics/usage.jsonl` even when unrelated to the user's immediate request. This creates undisclosed persistence and privacy risk, and may expose environment details or stable identifiers that are not necessary for developer assistance.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The guidance explicitly permits continuing OAuth despite a state mismatch in WebView-like environments, which weakens CSRF protections around the authorization flow. In a developer-assistant skill, this is more dangerous because it may be copied into production integrations, allowing login CSRF or account-linking attacks if an attacker can induce the victim to complete a crafted OAuth flow.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs automatic pre-flight update and telemetry checks to run before proceeding, without upfront disclosure to the user. Hidden execution of side-effecting operations undermines informed consent and can surprise users with network access, local writes, or other environment changes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes telemetry logging that records usage metadata to a local analytics file without an upfront warning at the point of use. Even if stored locally, this is privacy-affecting behavior that should be clearly disclosed and justified, especially because it happens automatically when telemetry is not set to off.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the assistant to save a returned Client Secret to a fixed local path without requiring explicit, informed user consent first. Persisting sensitive OAuth credentials on disk can expose them to other local processes, backups, shell history or accidental reuse across apps, especially because the same file path is reused for different app contexts.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The flow writes telemetry preferences, a persistent prompt marker, and in community mode a stable device ID into files under the user's home directory, but the referenced instructions do not clearly foreground these filesystem side effects at the moment of execution. Even though the prompt mentions a stable device ID, the implementation creates persistent local state that can affect privacy expectations and consent quality if not made explicit before writing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation encourages third-party apps to ingest user activity events, content previews, snapshots, and metadata into an activity graph, but it does not include any explicit privacy, consent, retention, or data-minimization guidance. In a developer-facing skill, this omission can lead integrators to over-collect or transmit sensitive user data without adequate user notice or safeguards, increasing privacy and compliance risk.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Act endpoint documentation permits sending arbitrary user messages and optional system prompts to a remote API without warning that these inputs may contain secrets, personal data, or regulated content. In a development/integration context, this can cause app authors to forward raw prompts, conversations, or internal instructions externally without sanitization or user awareness.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal