ClawHub

0x0 Messenger

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real messenger, but it needs Review because it stores sensitive chat/PIN data locally and includes under-disclosed server and web-control behavior.

Review before installing. Use it only if you are comfortable with chats, PINs, contacts, queued messages, and recovery information living under ~/.0x0, and do not treat it as no-trace or server-free because notification code contacts a centralized service with identifiers. Avoid --lan except on trusted networks, stop the web UI when not needed, use short-lived PINs, and avoid sending secrets through agent pipe/listen workflows unless you have assessed local storage and peer-message risks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises messaging capabilities that inherently require network access, yet no permissions are declared for that capability. This creates a transparency and policy-enforcement gap: users and platforms cannot accurately assess or constrain what the skill will do before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented behavior understates the actual operational scope by omitting remote notification services, identity backup/restore, local web serving, persistence, and offline queuing. This mismatch is security-relevant because users may expose sensitive messages, identifiers, or seed material to components and storage paths they were never told existed.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
When no peer connection is established within 10 seconds, the code silently persists the message, recipient number, and PIN to a local delivery queue for up to 72 hours. That behavior materially expands the trust and retention model from immediate disposable-PIN P2P messaging to store-and-forward semantics, increasing exposure of sensitive message content and PINs if the local device, skill storage, or surrounding workflow is compromised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code hardcodes an external Workers endpoint and API key, then later uses that service for device registration and push notifications, which conflicts with the stated 'No servers, no accounts' behavior. This is dangerous because it creates undisclosed third-party data flows and expands the trust boundary beyond pure P2P messaging, potentially misleading users and integrators about privacy and architecture.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This code registers device tokens and numbers with a remote notification service and supports unregistering them, which is not necessary for core local P2P transport and introduces centralized metadata collection. In a disposable-PIN messenger, that metadata can link identities, devices, and communication activity in ways users may not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly documents a `--lan` option that exposes the local web UI to other devices on the same network, but it does not warn that this broadens the attack surface beyond localhost. On untrusted or shared Wi‑Fi, other users on the LAN may be able to access the chat interface, view sensitive messages, or interact with the agent if no authentication or binding restrictions are enforced.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README lists sensitive local files including identity, PINs, contacts, offline queue, and message history, but frames deletion of `~/.0x0/` as the main privacy control without warning that these artifacts persist on disk by default. On multi-user systems, backups, endpoint compromise, or accidental file sharing, this stored data could expose credentials, communication metadata, and message contents.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill states that messages can queue for 72 hours if a peer is offline, but does not warn users about retention, metadata exposure, or privacy consequences. In a messaging skill used for approvals and notifications, silent retention can lead users or agents to transmit secrets under the false assumption of immediate, ephemeral delivery.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The `backup` command prints a 12-word seed phrase directly to the terminal with no warning or confirmation despite exposing the account's full recovery secret. In a messaging tool, this creates a realistic risk of shoulder surfing, terminal scrollback leakage, screen recording capture, or accidental inclusion in logs and transcripts, any of which would let an attacker fully take over the identity.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The `restore <words...>` command encourages users to enter the full seed phrase as command-line arguments, which commonly exposes secrets via shell history, process listings, audit logs, and terminal recording. Because the seed phrase is a complete recovery credential, disclosure enables total compromise of the messenger identity and any associated encrypted communications or approvals.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Inbound and outbound chat messages are written to local storage tied to the PIN without any explicit notice, consent, or retention controls in a feature marketed around disposable PINs and privacy-preserving P2P messaging. This creates a privacy mismatch: users may reasonably expect ephemeral communication, while sensitive conversation content persists on disk and can be exposed to other local users, backups, or forensic access.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The code automatically records the peer's public key and associates it with their number and PIN-derived contact record without informing the user. In a privacy-focused disposable-messaging context, silently building a durable contact graph and device identifier store can enable unintended tracking and deanonymization across sessions.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
This code persists both received message content and inferred peer public keys to local storage automatically during passive listening, without any notice, consent flow, retention limit, or visible disclosure in this execution path. In an agent-to-agent messaging context using disposable PINs and a privacy-oriented description, silent accumulation of metadata and message history can undermine user expectations, increase forensic exposure, and retain sensitive relationship data longer than necessary.

Missing User Warnings

High
Confidence
71% confidence
Finding
This module persists sensitive contact metadata, including theirNumber, theirPin, and peerPublicKey, in plaintext on disk in the user's home directory. In the context of a P2P messaging skill using disposable PINs and approval flows, local compromise, backups, logs, or multi-user host access could expose active communication secrets and contact relationships.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code persists full PIN records to a file in the user's home directory and includes the raw PIN value, not just its hash. Even with file mode 0600, this creates a local secret-at-rest exposure: any local compromise, backup leakage, debugging artifact, or accidental file sharing reveals active PINs that can be used directly. In a messaging skill built around disposable PINs for agent-to-agent access and approvals, storing plaintext PINs materially increases the chance of unauthorized message access or spoofed interactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The queue persists full message content, PIN values, and recipient identifiers in a predictable file under the user's home directory, creating a local plaintext cache of sensitive messaging data. Even though this appears intended for offline delivery/retry behavior, the code provides no encryption, minimization, or visible consent mechanism, so other local processes, backups, crash dumps, or misconfigured filesystem permissions could expose private communications and PIN-based routing data.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The registration request sends the user's number, device token, and platform to an external service with no visible consent flow or disclosure in this handler. That is dangerous because push tokens are persistent identifiers and can be used to correlate a user's device and messaging identity with a third party.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
On contact message send, the client notifies an external service of the recipient's number without any user-facing disclosure in this code. This leaks communication metadata to a central service and can reveal who is being contacted even if message contents remain P2P.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Revoking a PIN immediately triggers a destructive state change with no confirmation dialog, making accidental loss of communication access easy. In a disposable-PIN messaging app, revocation can abruptly cut off valid peers and may be difficult or impossible to undo, so a mistaken click has real availability impact.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
PIN rotation changes the communication secret immediately without warning, which can break existing peer communication if triggered accidentally. Because the action invalidates the old PIN relationship, a user may unintentionally deny service to legitimate contacts or disrupt approval/message workflows.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal