ClawHub

Comind

Security checks across malware telemetry and agentic risk

Overview

Comind is a coherent CoMind collaboration integration, but it can use API tokens to change shared project data and silently sync local workspace Markdown content, so it needs review before installation.

Install only for a dedicated CoMind workspace where you intend the agent to read task/context files and update CoMind. Use a least-privilege, scoped token; verify COMIND_BASE_URL points to a trusted CoMind instance; avoid exposing tokens in chat, logs, or synced Markdown; and enable heartbeat/Cron sync only after confirming exactly which directories and CoMind records it may read or modify.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
Including a `get_mcp_token` capability in a task-execution skill normalizes secret retrieval as part of routine operation. Any workflow that can request or expose API tokens materially increases the risk of credential theft, privilege escalation, and unauthorized API use.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Documenting self-registration broadens the skill from task operations into identity and provisioning management. That increases attack surface by enabling creation of new agent identities or endpoints beyond the stated purpose, which can be abused for persistence or unauthorized access.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The skill claims heartbeat runs should only inspect and report, but elsewhere authorizes state-changing actions such as updating task status, delivery status, queue state, and marking related tasks complete. In an automated heartbeat context, this mismatch can cause unintended writes during passive monitoring, creating integrity risks and making it easier for a scheduled trigger to mutate workflow state without explicit operator intent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This heartbeat template is framed as a lightweight status sync, but it also instructs the agent to scan workspaces and upload changed Markdown content to an external API. That materially expands the trust boundary from metadata sync to bulk content exfiltration, and because it is tied to an automated heartbeat trigger, it can transmit local documents without an explicit per-run user decision.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The documentation minimizes the operation as the 'most lightweight' heartbeat and claims scanning only checks mtime, while earlier steps direct hash comparison and full document uploads when changes are detected. This mismatch is dangerous because operators may enable or approve the heartbeat under false assumptions about what data is accessed and transmitted.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The document explains how to obtain, copy, regenerate, and transmit API tokens but does not prominently warn that these are high-value secrets or prohibit exposing them in logs, chat, templates, or documents. That omission makes accidental credential disclosure much more likely in normal use.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The skill is configured to run broadly for essentially all CoMind task pushes, chats, schedules, and inspections. Such unconstrained activation increases the chance of unintended execution of sensitive actions in the wrong context, especially because the skill also includes network and credential-related behaviors.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This skill instructs the agent to perform authenticated external API actions that create or update Wiki documents, optionally deliver documents, and update status, all based on a heartbeat trigger rather than an explicit user confirmation at execution time. Because these are state-changing operations and may transmit workspace-derived content to an external endpoint, the lack of a user-facing warning, approval gate, or clear trust boundary increases the risk of unintended data modification, duplicate reporting, or disclosure of sensitive project information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly defaults to silent execution and only reports a narrow set of exceptions, even though it may transmit task metadata and local file contents to external CoMind APIs. Suppressing user-visible notice for recurring outbound data transfer reduces transparency, weakens informed consent, and makes accidental leakage of sensitive workspace content more likely to go unnoticed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template explicitly instructs the agent to change task state and write Markdown that CoMind will automatically parse into shared board updates, but it does not require confirmation, authorization checks, or a warning that these actions modify collaborative project data. In an agent setting, this can cause unintended or unauthorized state changes if the pushed task content is mistaken, maliciously crafted, or lacks sufficient provenance.

Ssd 3

High
Confidence
97% confidence
Finding
The skill instructs the agent to obtain configuration and API tokens through conversational or runtime workflow steps, including WebSocket responses carrying `apiToken`. Embedding secret retrieval in natural-language operating instructions makes credential access part of ordinary execution and raises the chance of exfiltration or misuse.

Ssd 3

High
Confidence
99% confidence
Finding
The explicit `get_mcp_token` action is a direct secret-retrieval primitive exposed to the agent through natural-language workflow control. If abused or triggered in the wrong context, it can hand out credentials that allow authenticated API access beyond the immediate task.

Ssd 3

High
Confidence
97% confidence
Finding
Repeated examples teaching the agent to request tokens by member ID reinforce credential access as standard behavior and make unsafe use patterns more likely. This is particularly dangerous because examples often become copy-pasted operational practice, turning secret retrieval into a routine action.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal