Dual-Brain

Security checks across malware telemetry and agentic risk

Overview

The skill has a coherent purpose, but it broadly monitors agent sessions, forwards prompts/context to LLM providers, stores derived outputs locally, and can install persistent background services without enough scoping or warnings.

Install only if you are comfortable with agent conversation content and local memory context being processed by the selected secondary model provider and stored locally. Prefer a local provider such as Ollama for sensitive work, restrict permissions on ~/.dual-brain/config.json, avoid enabling Engram for confidential sessions, and review any launchd/systemd service before enabling background persistence.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Rogue AgentSelf-Modification, Session Persistence
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (25)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The summary explicitly documents that API keys are stored in plaintext and that the config file permissions are 0644, which typically makes secrets readable by other local users. Even though this is a documentation/build-summary file rather than executable code, it describes an insecure design without a prominent operational warning in installation guidance, increasing the chance the insecure default is deployed as-is.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill summary states that it scans user session files and sends user messages to secondary LLM providers, including cloud providers, but does not pair this behavior with a clear privacy/data-sharing warning. This creates a real risk of unintentional exfiltration of sensitive prompts, business data, or personal information to third parties, especially because the feature is framed as a normal core capability.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The changelog explicitly documents that API keys are stored in plaintext and presents it as a known limitation without any accompanying warning, mitigation guidance, or secure default. In an agent skill that integrates with multiple LLM providers, plaintext secret storage materially increases the risk of local credential disclosure through filesystem access, backups, logs, or accidental sharing of the config file.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The guide states that user session files are monitored, message contents are sent to a secondary LLM provider, and generated perspectives are written to disk, but it does not prominently warn users that potentially sensitive conversation data may leave the local system and be retained locally. In a tool that processes agent/user sessions, this omission creates a real privacy and confidentiality risk, especially when third-party providers are involved.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The setup instructions request an API key and indicate that configuration is saved to ~/.dual-brain/config.json, but they do not warn that credentials may be stored locally in plaintext or otherwise sensitive form. This can expose secrets to other local users, backups, shell history, or accidental disclosure if file permissions are weak.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly says every user message is sent to a secondary LLM provider, including third-party APIs such as OpenAI, Groq, and Moonshot, but it does not clearly warn users about privacy, retention, or data-sharing implications. In an agent setting, messages may contain secrets, personal data, or proprietary content, so silent forwarding materially increases confidentiality risk.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The architecture and quick-start describe a daemon that continuously polls OpenClaw session files and writes derived perspective files to disk, but the README does not make this persistence and monitoring behavior explicit as a security/privacy warning. Continuous background monitoring plus file output can expose conversation history to other local users, backups, logs, or unintended tooling.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill’s description presents the feature as beneficial cognitive diversity but does not clearly warn that every user message may be transmitted to a secondary LLM provider. This creates a meaningful transparency and consent failure: users or operators may unknowingly expose sensitive prompts, personal data, or proprietary content to third-party services.

Missing User Warnings

Low

Confidence: 91% confidence
Finding: The setup instructions discuss configuring providers and API keys but omit any warning that the configuration may contain credentials and must be protected accordingly. This omission increases the chance that users store, share, back up, or permission the config insecurely, exposing provider credentials and enabling unauthorized use.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The optional Engram integration states that perspectives are stored as memories for long-term recall, but it does not warn that these perspectives are derived from user messages and may therefore retain sensitive or regulated data. Long-term retention materially increases privacy risk, expands the blast radius of accidental disclosure, and can conflict with data minimization expectations.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: On macOS, the script creates a LaunchAgent plist and immediately loads it, causing the dual-brain command to persist and run automatically at login without any explicit consent prompt or warning beyond generic install messaging. Silent installation of a persistent background agent reduces user awareness and can be abused to maintain long-lived execution if the packaged command later behaves unexpectedly or maliciously.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The interactive setup collects an API key and persists it directly into ~/.dual-brain/config.json without clearly warning the user that the secret will be stored locally in plaintext. If the host is multi-user, backed up to less-trusted locations, or the file permissions are too broad, the credential can be exposed and then abused against the configured LLM provider.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code persists model-generated perspectives derived from recent user session messages to a local HTTP memory service on localhost:3400 without any notice, consent, or data-minimization controls in this file. Even though the destination is local, it creates a privacy and data-handling risk because sensitive user content may be retained by another service unexpectedly and could be exposed if that service is insecure or shared.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The daemon writes generated perspective files to disk using content derived from user messages, creating persistent local artifacts without any warning or retention control shown here. This is risky because sensitive prompts or inferred information may remain on disk, be read by other local users/processes, or be unintentionally committed, backed up, or exfiltrated later.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: This code sends userMessage and optional context to Groq's external API, and there is no indication in this component of consent, disclosure, redaction, or policy enforcement before transmission. In an agent skill, context can contain sensitive prompts, user data, secrets, or internal state, so silent third-party sharing creates a real privacy and data-governance risk even if the feature is intentional.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: This code sends userMessage and optional business context to Moonshot's external API, which can expose sensitive prompts, internal data, or customer information to a third party. The risk is increased because the provider is framed as a general 'second perspective' helper, so arbitrary user and business content may be forwarded without any visible consent, minimization, or classification controls in this component.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This code forwards potentially sensitive userMessage and context data to an Ollama HTTP endpoint without any visible consent, notice, redaction, or policy enforcement in this component. Even if Ollama is intended to run locally, the configurable baseUrl can point to a remote host and the default transport is plain HTTP, increasing the risk of unintended disclosure of prompts, secrets, or personal data.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: This code transmits userMessage and optional context to a third-party API, which can expose sensitive or regulated data if callers pass secrets, personal data, or internal context without informed consent or policy controls. In an agent skill, this is more dangerous because 'context' often contains prior conversation state, hidden instructions, or user-provided confidential material that may be sent externally unintentionally.

Ssd 3

High

Confidence: 99% confidence
Finding: This skill instructs the system to route every user message through a background daemon to a secondary LLM provider and then read back the generated perspective. That creates a direct exfiltration path for all prompt content, including secrets, internal documents, personal data, or safety-sensitive instructions, to additional external processors without contextual gating or explicit consent. The skill context makes this more dangerous because the forwarding is framed as automatic and universal rather than limited to sanitized or approved inputs.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The optional memory integration stores generated perspectives in long-term recall, and those perspectives are derived from user messages. Even if the stored text is shorter than the original prompt, it can still preserve sensitive facts, intentions, or identifiers, creating persistent data leakage and future unauthorized retrieval risk.

Ssd 3

Medium

Confidence: 91% confidence
Finding: Recent user messages are processed into summaries/perspectives and then stored persistently in the Engram memory service, which can create long-lived records of potentially sensitive conversations. In this context, the skill actively scans session files and converts user content into durable memory entries, increasing privacy risk and the blast radius of any compromise of that memory store.

Session Persistence

Medium

Category: Rogue Agent
Content: echo "To install (requires sudo):" echo " sudo mv /tmp/dual-brain.service $SERVICE_PATH" echo " sudo systemctl daemon-reload" echo " sudo systemctl enable dual-brain" echo " sudo systemctl start dual-brain" echo "" echo "Check status:"
Confidence: 88% confidence
Finding: systemctl enable

Session Persistence

Medium

Category: Rogue Agent
Content: mkdir -p "$LOG_DIR" # Create plist cat > "$PLIST_PATH" <<EOF <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0">
Confidence: 90% confidence
Finding: PLIST

Session Persistence

Medium

Category: Rogue Agent
Content: # Load service launchctl unload "$PLIST_PATH" 2>/dev/null || true launchctl load "$PLIST_PATH" echo "✅ Service loaded and running" echo ""
Confidence: 94% confidence
Finding: launchctl load

Session Persistence

Medium

Category: Rogue Agent
Content: # Load service launchctl unload "$PLIST_PATH" 2>/dev/null || true launchctl load "$PLIST_PATH" echo "✅ Service loaded and running" echo ""
Confidence: 94% confidence
Finding: PLIST

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal