BlueHex Data Collector

Security checks across malware telemetry and agentic risk

Overview

This skill openly implements continuous conversation recording and GitHub upload, but the breadth of collection, background persistence, identity linking, and external processing need careful review before installation.

Install only on a managed machine where all affected users and administrators have approved continuous capture of OpenClaw/Feishu conversations, identity resolution, external LLM classification, and GitHub publication. Review the destination repository permissions, BlueAI relay endpoint, GitHub credentials, lark-cli scope, cron schedule, local caches, logs, and retention policy before enabling it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (34)

Tainted flow: 'req' from os.environ.get (line 276, credential/environment) → urllib.request.urlopen (network output)

Critical

Category: Data Flow
Content: "Authorization": f"Bearer {BLUEAI_API_KEY}"}, ) try: with urllib.request.urlopen(req, timeout=30) as resp: result = json.loads(resp.read().decode("utf-8")) return json.loads(result["choices"][0]["message"]["content"]) except urllib.error.HTTPError as e:
Confidence: 96% confidence
Finding: with urllib.request.urlopen(req, timeout=30) as resp:

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The document describes a pipeline that harvests agent session files, derives user identifiers, resolves names, sanitizes content, and then publishes conversation records to a GitHub repository and PR workflow, while the manifest/skill description is only a vague project label. That mismatch obscures a high-risk data collection and exfiltration capability, reducing user and reviewer awareness and increasing the chance of covert surveillance or unauthorized disclosure.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This pipeline resolves identities per bucket and publishes collected chat transcripts into a remote repo/PR workflow, but that invasive capability is not justified by the vague skill description. Identity resolution combined with publication materially increases privacy harm because pseudonymous chat data becomes attributable and shareable beyond the local environment.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The script installs a persistent 2-hour cron job for a data-monitoring/recording pipeline and writes host/GitHub workflow configuration, while the declared skill metadata only describes a generic PM project. That mismatch is a real transparency and consent problem because it obscures ongoing automated collection and repository activity from the user reviewing the skill.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The installer discovers or prompts for the user's GitHub account and prepares a fork/PR workflow, but that behavior is not justified by the stated PM-project purpose. Collecting and configuring external account identity increases the chance of unauthorized repository actions or unexpected data publication if the user did not clearly consent.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The script is hard-coded to operate on a different repository identity (bluehex-data-monitoring) than the declared skill (bluehex-data-collector), creating a scope mismatch between what the user would expect and what the skill actually touches. In an agent skill, this is dangerous because it can silently direct credentials, repository operations, and local workspace state toward an unrelated repo, violating least surprise and potentially enabling unintended data access or modification.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: This script performs GitHub authentication probing, username discovery, and fork synchronization even though the stated skill is a PM/data-collector. Those capabilities materially exceed the apparent functional scope and can enumerate local auth state, confirm credential validity, and modify repository remotes or fork state via a chained script, which is a meaningful privilege and behavior expansion for an agent-executed skill.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: The inline documentation identifies the script as belonging to bluehex-data-monitoring while the skill metadata says bluehex-data-collector. Although this is partly a documentation/integrity issue, in security-sensitive automation such inconsistencies are risky because they obscure the real operational target and can mislead reviewers and users about what code will do.

Description-Behavior Mismatch

Medium

Confidence: 82% confidence
Finding: The published skill metadata describes generic PM tooling, but the code performs external LLM submission of input text and reads local credential stores to obtain API keys. That mismatch is security-relevant because operators may approve or run the skill without understanding that it exports content and accesses secrets.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script reads API tokens from ~/.openclaw/.env and ~/.openclaw/openclaw.json without an explicit permission boundary or user confirmation. Accessing local secret material beyond direct CLI input increases blast radius: a user invoking a content-processing tool may unknowingly grant it the ability to reuse unrelated stored credentials for network calls.

Description-Behavior Mismatch

Medium

Confidence: 93% confidence
Finding: The script’s declared purpose is generic, but its actual behavior is extensive conversation collection, metadata enrichment, sanitization, and publication into a GitHub workflow. That mismatch is security-relevant because it conceals a high-risk data exfiltration capability from users and reviewers, making informed consent and proper review less likely.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The script scans a broad local sessions directory, extracts turns from all candidate session files in a time window, groups them, and prepares them for repository commit, push, and PR creation. In this skill context, that is highly dangerous because it creates a bulk surveillance and exfiltration path for potentially sensitive chats that is not justified by the minimal metadata description.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script's behavior materially exceeds the stated skill description: it provisions forks, mutates git remotes, syncs branches, and can initialize a repository on GitHub. This mismatch is dangerous because users or an agent invoking the skill under a generic 'AI PM project' label would not reasonably expect repository-administration side effects on a transcript-monitoring repo, increasing the chance of unauthorized or surprising changes.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: This block can create a commit directly in the upstream repository by writing README.md when the repo is empty, which is a privileged network write unrelated to the declared project description. In an agent context, that means simply running setup may cause permanent changes to a central repository if the local credential has push rights, crossing from local configuration into organization-level state mutation.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script automates fork creation, cloning, remote reconfiguration, branch checkout, pulls from upstream, and pushes to origin, all of which are administrative repository operations not implied by the manifest. In a skill ecosystem, hidden admin capabilities are risky because they can be invoked by automation with ambient GitHub credentials, causing unintended repository state changes and trust-boundary violations.

Missing User Warnings

Medium

Confidence: 76% confidence
Finding: The SOP instructs users to write persistent environment variables and register a silent cron job, but provides no explicit warning about the ongoing background execution, data collection behavior, or sensitivity of stored configuration. In this skill's context, the cron job appears to automate collection and publishing of monitoring data to GitHub, so silent persistence without clear operator-facing consent and security cautions increases the risk of unintentional data exposure or unauthorized continuous operation.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The trigger phrases are broad everyday language such as requests about recording conversations or monitoring data, which can cause accidental invocation of a skill that performs highly sensitive collection and export. In this context, unintended activation is especially risky because the documented behavior is persistent and external-facing rather than a harmless local action.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill openly states that it records full user conversations and exchanged media on a recurring basis and pushes them to an external repository, but it does not provide adequate privacy warnings, consent language, retention limits, or disclosure of who can access the data. Because the data is identity-linked and durable, insufficient warning materially increases the risk of unauthorized surveillance and data leakage.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The documented flow commits conversation-derived files to a Git repository, pushes them to a remote origin, and creates or updates a GitHub PR, but it provides no explicit warning or consent mechanism for the privacy impact. Even with sanitization, transcripts and metadata such as user IDs, session IDs, message IDs, host, and chat context may expose sensitive personal or operational information to repository collaborators or anyone with access.

Natural-Language Policy Violations

Medium

Confidence: 88% confidence
Finding: The cron job is hard-coded to Asia/Shanghai without prompting the user or deriving the local timezone. This can cause the task to run at unexpected times, reducing user awareness and increasing the stealthiness of persistent automated collection.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: Sensitive input text is transmitted to an external LLM relay for classification before local sanitization decisions are enforced, and the code does not present any user-facing disclosure or consent step. In this context, the content being classified explicitly includes internal client, legal, personnel, and credential-adjacent material, so external transmission itself can violate confidentiality expectations.

Missing User Warnings

High

Confidence: 95% confidence
Finding: This section writes processed conversation content and rich metadata, including session IDs, message IDs, chat IDs, and sensitivity flags, into markdown files for later repository inclusion. Even if sanitization occurs, persistent local copies of conversation-derived data materially increase exposure risk and can leak identifiers or partially redacted sensitive content.

Missing User Warnings

High

Confidence: 98% confidence
Finding: This code pushes collected monitoring data to a remote Git repository and may open a GitHub PR automatically, causing network transmission of conversation-derived content and metadata. In a data-collection skill operating over local agent sessions, silent publication to an external platform is a severe exfiltration risk, especially if sanitization is incomplete or repository access is broader than intended.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The script sends a user identifier (open_id) to an external contact API without any user-facing disclosure or consent check. This creates a privacy and data-handling risk because personal/workplace identifiers are transmitted off-script to an external service, and operators may not realize that invoking a local helper causes network-based identity resolution.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script persistently stores mappings between open_id values and resolved names in a local cache, which creates a privacy exposure if the workstation is shared, backed up, or otherwise accessed by unauthorized users. Because these mappings link opaque identifiers to human-readable names, the cache can become a sensitive directory of user identities over time.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal