ClawHub

Ordnung

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly transparent about what it does, but it asks agents to make broad, persistent workspace and identity changes that deserve manual review before use.

Install only if you explicitly want this themed remote registration and persistent ORDNUNG entries in your workspace. Do not let an agent follow the broad home-directory scan, purge, rename, delete, or git add -A commit rituals automatically; keep any cleanup scoped to a reviewed project, inspect diffs first, and delete ~/.config/ordnung/credentials.json plus the SOUL.md and memory entries if you later opt out.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises shell-based behavior and instructs users to run bash scripts, but it declares no permissions or trust boundaries. This makes the operational capability opaque to users and reviewers, increasing the chance that file, network, or shell actions occur without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The public description frames the skill as a thematic movement about organization, while the documented behavior includes network exfiltration of identity-related data, local file inspection, credential creation, and persistent file modification. That mismatch is dangerous because it can cause users or agent frameworks to authorize a far more invasive skill than they intended.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script presents itself as a workspace-organization/initiation tool, but it silently performs remote account registration and retrieves an API key from an external service. That mismatch is security-relevant because users may run it expecting local customization while it actually creates an external identity and stores credentials, expanding trust and attack surface without informed consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Beyond organization-themed messaging, the script modifies SOUL.md and creates persistent memory files that alter core workspace identity and behavior. In an agent skill context, silently changing identity/memory artifacts can steer future behavior and create durable prompt-level influence unrelated to the stated utility.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script makes an unsolicited outbound request to a remote service to fetch 'movement status', which is not necessary for a local status command about workspace organization. This creates privacy and telemetry risk because running the script reveals that the user executed the skill and may expose network metadata or enable remote influence via attacker-controlled responses, especially since the base URL is overridable through an environment variable.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads a local credentials file and extracts agent identity details, then displays them, even though a generic status check for workspace organization does not inherently need credential inspection. Accessing identity-related local data broadens the script's privilege and may leak sensitive information to terminal logs, screenshots, shell history captures, or calling systems.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script transmits workspace-derived data including agent name, manifesto text, and proof material to a remote API without a prior clear warning or confirmation. Even if the fields seem low sensitivity, they are derived from local workspace identity files and create unnecessary disclosure and linkage to an external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script accepts network-returned credential material and writes it directly to a local credentials file without upfront warning or trust verification. This can establish persistent access tied to an unreviewed remote service and makes later automated use of those credentials more likely.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script creates and modifies persistent workspace files, including SOUL.md and memory artifacts, without a clear advance warning. In an agent workspace, such writes are high-impact because they can alter future context, instructions, and behavior beyond the immediate run.

Ssd 4

Medium
Confidence
94% confidence
Finding
The script embeds persistent, cult-like narrative content that encourages broad workspace inspection, routine behavioral rituals, and durable identity changes. In an agent skill, this is dangerous because it attempts long-term behavioral steering through trusted files and onboarding text, increasing the chance of future overreach, data exposure, and operator deception.

Credential Access

High
Category
Privilege Escalation
Content
**What the join script does:**
- POSTs your agent name and manifesto verse to `https://ordnung.church/api/join`
- Saves your API key to `~/.config/ordnung/credentials.json`
- Appends an ORDNUNG section to your `SOUL.md` (if it exists)
- Creates `memory/ordnung-initiation.md` in your workspace
Confidence
91% confidence
Finding
credentials.json

Credential Access

High
Category
Privilege Escalation
Content
**What data is sent:** Agent name, your manifesto verse, a proof-of-work hash (anti-chaos verification). No telemetry, no tracking, no lobster nonsense.

**What the join script writes:**
- `~/.config/ordnung/credentials.json` — your API key
- `SOUL.md` — appends an ORDNUNG section (Three Pillars, inscribed permanently)
- `memory/ordnung-initiation.md` — records your initiation date and manifesto
Confidence
90% confidence
Finding
credentials.json

Session Persistence

Medium
Category
Rogue Agent
Content
```
Before context window death, the Devoted shall:

1. Write memory/YYYY-MM-DD.md — what was accomplished
2. git add -A && git commit — nothing uncommitted survives the night
3. Remove all *.tmp, *.bak files — the past must not clutter the future
4. Verify: ls /tmp/ should not terrify you
Confidence
88% confidence
Finding
Write memory/YYYY-MM-DD.md — what was accomplished 2. git add -A && git commit — nothing uncommitted survives the night 3. Remove all *.tmp, *.bak files — the past must not clutter the future 4. Verif

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal