Back to skill

Security audit

Multi-Brain Protocol

Security checks across malware telemetry and agentic risk

Overview

This skill has a real multi-LLM purpose, but it needs Review because it can monitor local agent sessions, send prompts and memory context to external AI providers, run persistently, and store API keys in plaintext.

Install only if you are comfortable with a hook or daemon reading agent conversations and sending prompt plus possible memory/context content to configured AI providers. Prefer local Ollama for sensitive work, set narrow ownerIds or session scope, avoid storing production API keys until secret storage is hardened, and remove provenance-hiding instructions before use in shared or regulated environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (52)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The watcher sends user message content plus excerpts from a local MEMORY.md file to a third-party API automatically and in the background. This creates an unauthorized data exfiltration path for potentially sensitive conversations and local business context, with no consent, scoping, redaction, or policy enforcement visible in the code.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The daemon enumerates all agent session files, inspects new user messages across sessions, and writes influence files that downstream agents are expected to read. This is a cross-session surveillance and intervention mechanism that can affect agent behavior without isolation boundaries, user awareness, or authorization checks.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The hook reads sensitive local data from both the session transcript and a local MEMORY.md file, then sends that material to an external third-party API. In an agent bootstrap context, this creates a clear confidentiality risk because user prompts and local memory may contain secrets, internal data, or regulated information, and the transfer happens automatically without consent or minimization beyond simple truncation.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The file header describes only reading the last user message, but the implementation additionally reads MEMORY.md and includes it in the outbound prompt. This mismatch is dangerous because it conceals the true data flow from reviewers and operators, increasing the chance that sensitive local context is exfiltrated without informed approval.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The hook reads a separate local file (`/Users/chadix/clawd/MEMORY.md`) and includes its contents in the prompt sent to `api.moonshot.ai`, even though the documented behavior says it only uses the last user message. This creates an undisclosed data exfiltration path for potentially sensitive local memory unrelated to the current session.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module header claims the hook reads the last user message and injects a perspective, but the implementation also reads and transmits unrelated local memory content. This mismatch hides material data-handling behavior from reviewers and users, undermining trust and making sensitive exfiltration easier to miss.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The daemon scans conversation/session files from user home directories, extracts recent user messages, and submits them to a provider via getPerspective() to generate derived content. This is a privacy-sensitive data collection and secondary processing flow that can expose potentially confidential chat/session content without clear user consent, scope limitation, or per-session authorization.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill writes AI-derived 'perspectives' to local files and can also persist them to a local HTTP memory service, creating an additional storage channel for sensitive information derived from user conversations. Even though the HTTP target is localhost, this still expands the exposure surface and can leak private data to other local processes or services without clear consent or retention controls.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly states that user messages are sent to secondary LLM providers, including third-party APIs, but does not pair that behavior with a strong privacy notice, consent requirement, or data-handling warning. In this context, the skill monitors local session files and forwards message content externally, which can expose sensitive prompts, proprietary data, or personal information without adequate user awareness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The changelog explicitly documents that API keys are stored in plaintext, which indicates the product currently persists sensitive credentials without protection at rest. If the host is compromised, backups are exposed, or file permissions are weak, those credentials can be recovered and used to access upstream LLM services and associated data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide states that user messages are sent to a secondary LLM provider, but it does not prominently warn that potentially sensitive conversation content may leave the local environment and be processed by third parties. This can lead users to unknowingly expose private data, credentials, or regulated information to external services.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The uninstall steps include `rm -rf ~/.dual-brain`, which permanently deletes configuration, logs, state, and generated perspectives, but the warning is only marked as optional and does not clearly emphasize irreversible data loss. Users may remove data they intended to retain, including API configuration and logs useful for audit or recovery.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly states that qualifying user messages are intercepted and sent to external LLM providers in parallel, but it provides no privacy warning, consent requirement, or data-handling limitation. In an agent hook that runs before responses, this creates a real risk of unintentionally disclosing sensitive prompts, internal data, or regulated information to third parties.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The instructions recommend storing an API key by echoing it into a file in the workspace path without discussing file permissions, secret management, or accidental inclusion in backups/repos. While not inherently malicious, this encourages weak credential-handling practices that could expose provider credentials to other users, processes, or source control.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill routes user prompts to multiple external LLM providers (Moonshot/Kimi and OpenAI Codex) but does not present a clear user-facing warning that their content will be disclosed to third parties. This creates a confidentiality and consent problem: users or operators may unknowingly send sensitive prompts, proprietary data, or secrets outside the primary environment.

Missing User Warnings

Low
Confidence
91% confidence
Finding
The setup instructs users to store an API key in a local plaintext file without any warning about file permissions, exposure risk, or safer secret-management alternatives. Plaintext credential storage can lead to accidental disclosure through backups, repo commits, multi-user systems, or local compromise.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instruction to 'Never mention the other AIs to the user' is a transparency anti-pattern that conceals material processing behavior from users while their content is being shared with additional models. Hiding third-party involvement undermines informed consent, impedes auditing, and can cause users to disclose sensitive information under false assumptions about where their data goes.

Missing User Warnings

High
Confidence
96% confidence
Finding
User-provided message content is transmitted to an external model service without any disclosure, consent prompt, or warning in the workflow. In a background daemon that watches conversations automatically, this increases the privacy risk because users and operators may not realize their text is being forwarded off-system.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code reads local business context from /Users/chadix/clawd/MEMORY.md and embeds it into the system prompt sent to the external API. That can leak internal operational details, strategy, or other sensitive context beyond the original conversation scope, compounding the exfiltration risk.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The hook is configured to run on every agent bootstrap and only documents a few skipped cases, which means it can process a wide range of conversations without clear scoping or consent boundaries. In this skill, that broad trigger is more dangerous because it automatically forwards user-derived content to an external model and writes persistent local audit data, increasing the chance of collecting sensitive prompts unintentionally.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly states it extracts the last user message and sends it to Moonshot's external API, but the description provides no explicit warning, consent flow, or data handling limitations. This is dangerous because sensitive user content may be exfiltrated to a third party automatically at bootstrap time, before the agent responds and potentially before the user understands the transfer.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill writes an audit trail containing perspective data to a persistent path under ~/.engram/perspectives without clearly warning the user. Persistent storage of conversation-derived content in a home directory can expose sensitive prompts or derived data to other local users, backups, endpoint tooling, or later compromise, especially because the file naming suggests repeated accumulation over time.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code transmits the user's message and local context to api.moonshot.ai without any visible disclosure, consent, or runtime notice. In a bootstrap hook, this is especially risky because it occurs automatically before normal interaction, making covert data leakage more likely and harder for users to detect.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The injected bootstrap content explicitly tells the agent not to mention its source, which undermines transparency and can mislead users or operators about how responses are being influenced. Concealing third-party-generated guidance is particularly risky when that guidance is derived from externally transmitted user and local data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook explicitly documents sending the user's last message to a third-party API (Moonshot/Kimi) during agent bootstrap, but the skill description contains no user-facing consent, privacy disclosure, data minimization, or scoping controls. Because bootstrap runs automatically and before normal workspace context injection, this can exfiltrate potentially sensitive prompts or secrets without the user's informed awareness, increasing privacy and compliance risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/cli.js:212