ClawHub

Mediator

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its communication-filtering purpose, but it needs review because it handles private messages with hard-coded account defaults, runtime package installation, external LLM processing, and plaintext local retention.

Install only after reviewing the generated config and external tools. Remove the hard-coded Gmail accounts, verify gog-read.sh, imsg, and llm are trusted and configured for your accounts, avoid cron or heartbeat monitoring until you intentionally want continuous checks, and do not use auto-response for legal, financial, child-related, or otherwise sensitive matters.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (23)

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
import yaml
except ImportError:
    print("Installing PyYAML...")
    os.system(f"{sys.executable} -m pip install -q pyyaml")
    import yaml

CONFIG_FILE = Path.home() / ".clawdbot" / "mediator.yaml"
Confidence
95% confidence
Finding
os.system(f"{sys.executable} -m pip install -q pyyaml")

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
try:
    import yaml
except ImportError:
    os.system(f"{sys.executable} -m pip install -q pyyaml")
    import yaml

CONFIG_FILE = Path.home() / ".clawdbot" / "mediator.yaml"
Confidence
96% confidence
Finding
os.system(f"{sys.executable} -m pip install -q pyyaml")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def summarize_content(contact: dict, content: str) -> dict:
    """Use LLM to summarize/neutralize content."""
    try:
        result = subprocess.run(
            [sys.executable, str(SUMMARIZE_SCRIPT), 
             "--mode", contact.get("summarize", "facts-only"),
             "--content", content],
Confidence
91% confidence
Finding
result = subprocess.run( [sys.executable, str(SUMMARIZE_SCRIPT), "--mode", contact.get("summarize", "facts-only"), "--content", content], cap

os.system() or os exec-family call

High
Category
Dangerous Code Execution
Content
try:
    import yaml
except ImportError:
    os.system(f"{sys.executable} -m pip install -q pyyaml")
    import yaml

CONFIG_FILE = Path.home() / ".clawdbot" / "mediator.yaml"
Confidence
96% confidence
Finding
os.system(f"{sys.executable} -m pip install -q pyyaml")

subprocess module call

Medium
Category
Dangerous Code Execution
Content
def summarize_content(contact: dict, content: str) -> dict:
    """Use LLM to summarize/neutralize content."""
    try:
        result = subprocess.run(
            [sys.executable, str(SUMMARIZE_SCRIPT),
             "--mode", contact.get("summarize", "facts-only"),
             "--content", content],
Confidence
84% confidence
Finding
result = subprocess.run( [sys.executable, str(SUMMARIZE_SCRIPT), "--mode", contact.get("summarize", "facts-only"), "--content", content], capt

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Try using the llm CLI if available
    try:
        result = subprocess.run(
            ["llm", "-m", "gpt-4o-mini", prompt, "--no-stream"],
            input=content,
            capture_output=True,
Confidence
93% confidence
Finding
result = subprocess.run( ["llm", "-m", "gpt-4o-mini", prompt, "--no-stream"], input=content, capture_output=True, text=True, timeout

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises a benign mediation function but exposes capabilities for shell execution, network access, and file writes without any declared permission model or explicit user consent boundary. In a skill that processes private communications, undeclared capabilities materially increase the risk of silent data access, forwarding, persistence, and unintended side effects.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a true security issue because the documented purpose understates the actual behavior: monitoring Gmail, reading iMessage history, persisting state, installing packages at runtime, and invoking external tools/LLMs. That mismatch prevents informed consent and makes it easier for users to enable broad surveillance and data exfiltration behaviors they may not expect from the description alone.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The helper silently installs PyYAML when the import fails, giving a simple configuration utility the ability to fetch and execute code from package infrastructure. In the context of a communication-filtering skill, this behavior is not necessary for core functionality and increases supply-chain and unexpected-execution risk.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The default config seeds the tool with Telegram routing and hard-coded Gmail accounts, which exceeds the narrowly described role of mediating communications for user-specified difficult contacts. Prepopulating external notification and mailbox targets can cause collection or forwarding of private communications without an explicit, informed setup step by the user.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Configuring Telegram as a notification channel by default introduces an outbound communication path not justified by the stated mediation function. Even if later components implement this legitimately, a default external sink for message summaries increases the risk of unintended disclosure of sensitive interpersonal communications.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing a Python package during execution is not necessary for normal email mediation and creates avoidable supply-chain and arbitrary code execution risk. Because this skill processes sensitive communications, any compromise of package resolution or environment configuration could expose private messages or system access.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Installing a Python package at runtime is unrelated to normal message filtering and expands the attack surface by pulling executable code from an external source during operation. In a tool handling private communications, this behavior is especially risky because compromise of the package source, dependency chain, or environment could lead to code execution on the user's machine.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This skill is designed to handle difficult-contact messages, which are likely to contain highly sensitive personal communications. Transmitting that content to an external LLM service is broader than the stated local mediation/filtering role and can leak private or regulated information to third parties without clear notice.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The trigger language is broad enough to activate on ordinary conversations about difficult people, which can cause the skill to run in contexts where the user did not intend message interception or filtering. Because this skill handles sensitive communications, overbroad activation raises privacy and consent risks beyond a normal convenience issue.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill omits a clear privacy warning that raw or derived message content may be fetched from email/iMessage, sent to notification channels, and processed by an LLM. For highly sensitive interpersonal communications, that omission is dangerous because users may unknowingly expose private, legal, financial, or family-related content to additional systems and logs.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Automatic package installation occurs without meaningful warning, consent, or confirmation, so users running a local config command may unknowingly trigger shell execution and download code. That makes the behavior surprising and unsafe, especially for a helper expected only to read and write YAML configuration.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The init flow writes a persistent config containing sensitive communication settings and account identifiers into the user's home directory without any user-facing privacy disclosure or consent checkpoint. In a skill designed to intercept personal messages, silent persistence of this data materially raises privacy risk if the workstation, backups, or dotfiles are accessed by others.

Missing User Warnings

High
Confidence
95% confidence
Finding
The add-contact flow persists sensitive identifiers such as email addresses and phone numbers, then logs them in plaintext to a local logfile. Because this skill handles communications from difficult contacts, the stored and logged data is especially sensitive and could expose private relationships and contact details to anyone with access to the account, logs, or backups.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Email content is sent to a summarization subprocess without any explicit disclosure, consent, or data handling controls. In this skill context, intercepted communications are inherently sensitive, so undisclosed secondary processing materially increases privacy and compliance risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This skill processes communications from 'difficult contacts,' which are likely to contain sensitive personal information, and it transmits that content for summarization without any user-facing warning or explicit approval path. The skill context makes this more dangerous because users may assume mediation means privacy protection, while the implementation actually broadens access to the raw messages.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script forwards user-provided message content to an LLM subprocess without any user-facing warning in this file, undermining informed consent for disclosure of intercepted communications. In the mediator context, the data is especially sensitive because it may include private disputes, accusations, dates, locations, and other personal details.

Session Persistence

Medium
Category
Rogue Agent
Content
### Summarize Options

- **facts-only**: Extract only actionable items, requests, deadlines. No emotion.
- **neutral**: Rewrite the message in neutral tone, preserving all content.
- **full**: Show everything but flag emotional/manipulative language.

### Respond Options
Confidence
70% confidence
Finding
write the message in neutral tone, preserving all content. - **full**: Show everything but flag emotional/manipulative language. ### Respond Options - **draft**: Generate suggested response, wait fo

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal