ClawHub

Secondme

Security checks across malware telemetry and agentic risk

Overview

This SecondMe account skill mostly matches its purpose, but it needs Review because it can silently update itself, record/sync usage data, and install or overwrite local skill files.

Install only if you trust the publisher and are comfortable with a local SecondMe access token, local feedback/analytics files, possible telemetry upload after opt-in, and local skill-file changes. Consider disabling or reviewing the self-update and telemetry behavior, and use extra care with public posts, deletions, API keys, memory/profile sync, and third-party skill installation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Description-Behavior Mismatch

Low
Confidence
91% confidence
Finding
The skill is presented as an end-user workflow for SecondMe actions, but it also performs package maintenance by checking for and installing updates via `npx skills update`. That is behavior outside the user-requested task boundary and introduces an unnecessary supply-chain and execution surface on the local machine, even if intended as convenience.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This section collects local telemetry metadata, stores analytics files, detects pending sync state, and later uploads usage data, none of which is required to fulfill most user actions. Silent analytics collection and eventual transmission create a privacy risk, especially because session identifiers, OS/arch, version data, and potentially device identifiers are persisted locally and synced when credentials are present.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The skill requires silent capture of session context such as user intent, actions, phases used, outcome, and error details before telemetry logging. Collecting behavioral data unrelated to completing the user's request without an explicit just-in-time disclosure is a privacy-invasive design and can expose sensitive intent or workflow details.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The instruction to review local memory internally and use it to decide profile updates expands data use beyond the immediate login/connect purpose and does so without an explicit, fresh consent step. In an agent context, this can cause previously supplied personal data to be surfaced, inferred, or acted on in a new context the user did not clearly authorize.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The guidance section tells the agent to use an access-check endpoint and status fields that do not match the documented API. This inconsistency can cause the agent to skip the real gate check, mis-handle activation state, or call a nonexistent endpoint before sensitive Plaza actions, leading to authorization-flow failures and potentially unintended behavior if fallback logic is loose.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The posting workflow requires checking `/plaza/access` before creating posts, but the API reference defines a different gate endpoint. In an agent skill, contradictory precondition logic is dangerous because it can cause failed checks, accidental bypass attempts, or incorrect user messaging before a state-changing action like post creation.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The feed/search guidance repeats the wrong access-check endpoint before browsing operations. Because browsing is a common high-frequency action, this inconsistency increases the chance the agent will systematically fail authorization checks or proceed based on incorrect assumptions about access state.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The comment-creation rules again direct the agent to use `/plaza/access`, conflicting with the actual gate API. Since commenting is a write action, incorrect gating can lead to unreliable authorization handling, confusing failures, or unsafe fallback behavior if the implementation tries to recover automatically.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to read and use local memory facts when reviewing a user's SecondMe profile. That creates an unintended data-flow from unrelated local memory into a third-party service workflow, increasing the risk of over-collection, privacy leakage, and using stale or out-of-context personal data to influence profile updates.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The instruction to write returned profile fields such as name, homepage, and originRoute into ~/.secondme/credentials expands a credentials file with non-auth profile data without clear necessity or access controls. This creates a local persistence channel for personal data in a sensitive file path, which may be read by other tools or processes and can normalize unsafe handling of account-related information.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The reference mandates writing session feedback data to local analytics storage and explicitly states that some of it may later sync to the backend, but this capability is not surfaced in the stated end-user skill scope. Hidden collection and onward transfer of behavioral metadata is a privacy/security concern because users invoking a transactional skill would not reasonably expect silent analytics persistence and possible exfiltration.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file requires session metadata capture for every run regardless of telemetry setting, which exceeds what is necessary to perform SecondMe user actions. Even if credentials are excluded, persistent collection of intent, actions, phases, and references creates a behavioral trail that can expose sensitive usage patterns and undermines user privacy expectations.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This reference defines behavior for uploading local analytics and feedback data to a backend, which is not part of the user-facing SecondMe end-user actions described in the skill manifest. Hidden telemetry exfiltration beyond declared scope is dangerous because it expands the skill's data-handling surface without clear user awareness or task necessity.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads stored credentials and uses the access token to authorize background uploads, even when running asynchronously and silently. Using persisted auth material for non-user-initiated telemetry broadens credential use beyond expected workflow actions and can lead to unauthorized data transfer under the user's identity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs execution of telemetry-sync behavior and related session-context handling without a clear user-facing warning at the point of collection or upload. Hidden or poorly disclosed data transmission undermines informed consent and increases privacy risk, especially in a user-facing end-user skill.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documented endpoint exposes visitor interaction history, including visitor names and conversation summaries, which may contain sensitive personal or confidential content. In an end-user skill context, surfacing or normalizing access to this data without an explicit privacy warning, consent expectation, or data-minimization guidance increases the risk of privacy violations and misuse.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The public avatar information response includes owner identity fields such as ownerUserId, ownerRoute, ownerUsername, and ownerAvatar. Documenting these as publicly retrievable without a privacy warning or explanation of visibility expectations can enable unwanted identity correlation, profiling, or scraping, especially because this skill is intended for broad end-user operations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation explicitly promotes `enableWebSearch` but does not warn that user prompts may be sent to an external search subsystem or third-party provider. In a chat feature, users may include sensitive personal data, so omitting this disclosure can lead to unintended external transmission and privacy harm.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The login trigger is broad enough to activate on generic requests about login or auth URLs, which can cause the agent to initiate authentication when the user may only be asking informational questions. In a powerful end-user skill, overbroad triggering increases the chance of unnecessary credential handling and unintended account-linking flows.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The logout flow deletes credential files from multiple locations without warning the user that local session data will be removed. Silent local deletion can surprise users, disrupt other tooling that shares those credentials, and create an unsafe precedent for destructive filesystem actions without explicit confirmation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Persisting the access token to ~/.secondme/credentials creates a long-lived local secret without clearly informing the user about storage, retention, and local compromise risk. If the host is shared or the file permissions are weak, the token could be reused to access the user's SecondMe account.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation explicitly supports latitude/longitude-based user discovery but does not warn that supplying precise geolocation shares sensitive location data and may expose approximate whereabouts to the service. In a consumer social/discovery skill, this omission increases the chance that callers send exact coordinates by default without informed user consent, creating avoidable privacy risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
For LINK notes, the document says the backend will automatically extract content from submitted URLs, but it does not warn that the URL and fetched page contents will be sent to and processed by the server. This can mislead users into submitting sensitive or private links without understanding the data disclosure and server-side retrieval involved.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The flow directs the agent to persist returned profile data locally without first warning the user or obtaining consent. Silent local persistence of personal account data undermines user expectations and can expose information on shared systems or through later compromise of local files.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The first-run handoff encourages syncing long-term memories to SecondMe but does not clearly warn that personal memories will be transmitted to an external service. Because memory data can contain highly sensitive personal details, the omission of a privacy warning and granular confirmation materially increases the chance of unintended disclosure.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal