ClawHub

SecondMind

Security checks across malware telemetry and agentic risk

Overview

SecondMind is a coherent memory assistant, but it installs persistent background jobs and processes private conversation history through cloud and messaging services with limited consent controls.

Install only if you are comfortable with this skill reading your OpenClaw session history, storing long-term memory and emotional inferences, sending selected content to OpenRouter, and creating recurring background jobs. Review config.json, cron or Task Scheduler entries, notification settings, and the database retention/reset behavior before enabling it on sensitive workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill clearly invokes shell commands and uses networked services (OpenRouter and Telegram), yet no explicit permissions are declared in metadata. This creates a transparency and policy-enforcement gap: users and hosting platforms cannot accurately assess or constrain what the skill can do before activation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented behavior understates the operational scope of the skill: beyond memory and suggestion features, it runs bots, sends outbound notifications, schedules background jobs, monitors sessions, and performs state-changing actions from natural-language input. This mismatch is dangerous because users may consent to a memory tool without realizing it has autonomous execution, monitoring, and messaging capabilities.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The reminder engine does more than suggest ideas: it automatically mutates proposal state to 'dead' based on heuristic conditions such as max nudges reached or being ignored twice. In an autonomous assistant handling memory, projects, and proactive initiative, this can silently discard tasks or recommendations without explicit user confirmation, creating integrity and accountability risks.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
Natural-language feedback is sent to an external LLM and the returned JSON is used to drive state-changing actions on proposals. That creates an indirect-command execution path where ambiguous input, model error, prompt injection-like phrasing, or third-party processing can cause unauthorized or unintended accepts/rejects/drops without deterministic parsing.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The installer modifies persistent host scheduler state by creating cron jobs or Windows scheduled tasks, which is a sensitive system change. While periodic ingestion is consistent with the skill's functionality, doing this from setup without explicit consent or clear disclosure creates persistence and expands the blast radius if later scripts misbehave or are compromised.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The setup script executes external system commands such as npm installation and later scheduler-management commands, which are privileged side effects for an installer tied to a memory assistant. Even if intended for convenience, automatic command execution increases risk because it can alter the host environment and execute package lifecycle scripts without meaningful user confirmation.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup prompt instructs the agent to execute installation, testing, and service-management commands that can modify user configuration, create cron persistence, and launch background processes, but it provides no safety warning, consent checkpoint, or review step before doing so. In an agent-facing setup document, this is risky because it encourages direct execution of side-effecting commands in a user's environment, including handling API keys and starting long-lived automation.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises persistent memory, mood detection, and proactive analysis of conversations, while also stating that all models run via OpenRouter Cloud. That means potentially sensitive conversation content and inferred emotional data may be transmitted off-device to a third-party service, yet the warning is framed mainly around functionality and cost rather than privacy risk and consent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The Telegram setup encourages sending proposals and reminders through Telegram, but does not clearly warn that those messages may contain sensitive knowledge inferred from private conversations. This can leak user data into another external platform and broaden exposure beyond the local host and LLM provider.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill processes conversation transcripts, derives emotions and events, and stores them in long-lived memory, but the description does not present this as a clear privacy-sensitive operation. Users may expose sensitive personal or organizational data without informed consent, especially given emotional inference and archive retention.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The setup flow instructs users to configure OpenRouter and Telegram, implying external transmission of transcript-derived content and notifications, but it does not explicitly warn that data may leave the local environment. This is risky because users may unknowingly send sensitive context, emotional inferences, or reminders to third-party cloud providers and messaging platforms.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The function sends raw chat content to an external LLM service via `chatJSON` without any evidence in this file of user notice, consent, minimization, or gating. In this skill's context, the extracted content explicitly includes knowledge, emotions, people, and events, so undisclosed transmission can expose highly sensitive personal and relational data to a third-party model provider.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code submits full session content for summarization with no visible indication of notice or consent controls. Even though the prompt says not to include sensitive data, the full unfiltered session is still transmitted to the provider, which is risky because chats may contain personal, confidential, or regulated information before any model-side filtering occurs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The initiative generator transmits serialized context data to an LLM, and that context is likely to include archived memory, project tracking, feedback history, emotions, and social-event information. Because this skill is specifically designed for proactive memory and social intelligence, undisclosed external processing materially increases privacy risk and can reveal intimate behavioral patterns beyond ordinary chat content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code sends the full `messages` payload to OpenRouter, a third-party remote API, with no evidence in this file of user consent, minimization, or redaction. In the context of a memory-heavy assistant that ingests conversations, project data, emotions, and social context, those messages may contain sensitive personal or organizational information, so silent external transmission materially increases privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This code sends the user's search query and the retrieved result set to an LLM-based reranking component, which can expose potentially sensitive memory contents to an external model provider or downstream service. In this skill's context, the data being searched appears to include conversations, knowledge, emotions, and archived long-term memory, so silent transfer for reranking materially increases privacy and data-handling risk even if the behavior is functionally intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script sends aggregated raw chat content to `extractKnowledge(content)`, and the skill metadata states all models run via OpenRouter Cloud, implying conversation data may leave the local environment for third-party processing. Because these chats can contain sensitive personal, project, and emotional information, transmitting them without explicit informed consent, disclosure, or data-minimization controls creates a real privacy and data-handling vulnerability.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code persists inferred emotions, intensity, triggers, and social context derived from chats into dedicated database tables, creating a sensitive behavioral profile of users and contacts. Storing inferred psychological and social data without explicit consent, purpose limitation, or visibility controls is dangerous because it increases harm from misuse, overcollection, insider access, or database compromise.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code archives full session contents and, for longer sessions, sends them to an external summarization path via `flushSession(content)` without any visible consent, notice, minimization, or sensitivity filtering. Because this skill is explicitly designed to ingest conversations, emotions, project context, and proactive suggestions, the captured data is likely to include sensitive personal, behavioral, or proprietary information, making silent retention and third-party processing a meaningful privacy and data-exposure risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The code sends proactive notifications derived from inferred personal, emotional, and project context, including stale frustrations, moods, and upcoming events, without any visible consent gate or per-category notification control in this file. In a memory/social-intelligence skill, unsolicited outreach based on sensitive inferences can expose private context to notification surfaces and surprise users or bystanders.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The bot will automatically treat free-form text as actionable feedback whenever it 'looks like feedback' and a prior digest exists, with no explicit confirmation. In this context, that can silently change proposal states and later trigger archival or project actions from ordinary conversational text, making accidental destructive operations more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
At line 50 the installer unconditionally invokes platform-specific scheduler setup, causing persistent background execution without a prior confirmation prompt. Silent persistence is risky because users may not realize they have installed recurring jobs, and such jobs continue running after setup completes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Linux cron setup reads the current crontab, removes any line containing 'secondmind', and installs a rewritten crontab without telling the user that matching entries will be replaced. This can unintentionally delete unrelated jobs containing the same substring and silently alter existing scheduler state.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Windows setup deletes and recreates scheduled tasks with fixed names without advance warning or confirmation. This is dangerous because it overwrites scheduler state, may remove a user's customized tasks with the same names, and establishes persistence automatically.

Ssd 3

Medium
Confidence
90% confidence
Finding
The pre-reset workflow explicitly captures session content before a user-requested reset and instructs the agent to surface the script output, which can undermine the user's expectation that reset/new starts a clean slate. In a memory-ingesting skill, this is especially sensitive because it preserves and potentially exposes context at the exact moment the user is trying to clear it.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal