ClawHub

muninn

Security checks across malware telemetry and agentic risk

Overview

Muninn is a local project-memory MCP skill, but it also automatically rewrites agent instruction files and enforces future agent behavior without clear user approval.

Install only if you are comfortable with a tool that can scan your project, maintain persistent local memory, watch files, and modify agent instruction files in the repository. Before use, review or disable changes to .cursorrules, CLAUDE.md, and .antigravityrules, avoid indexing directories containing secrets, and treat the advertised version/build claims with caution.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (29)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill declares no permissions while its behavior indicates shell and environment access via an installed Node package and MCP tooling. This creates a transparency and trust gap: a user or agent may approve the skill expecting passive local context support, while it can execute code and interact with the host in ways not explicitly disclosed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose presents Muninn as a local memory/context layer, but the observed behavior is substantially broader and more invasive: it runs an MCP server, persists state, watches files, edits project policy files, reads/writes home-directory state, and imposes workflow/tool-use rules. This mismatch is dangerous because it can induce users and agents to install software under false assumptions, enabling unexpected modification of project files and behavioral control over agent sessions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The distributed code advertises itself as production server v2.1.7 while the skill metadata claims v2.3.7 with a newer engine and fixes. Version and implementation mismatches are a real supply-chain trust problem because users may rely on claimed fixes, platform support, or behavior that are not actually present in the shipped code, leading to unsafe deployment decisions and impaired incident response.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The skill is described as a 'Universal Context Protocol (CXP)' implementation, but the code is plainly an MCP stdio server exposing project-memory tools. This kind of capability misrepresentation is dangerous because security reviewers and users may grant it trust, permissions, or deployment scope based on inaccurate claims about protocol, interoperability, or expected behavior.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code goes beyond context/index management and programmatically appends or rewrites agent instruction files (.cursorrules, CLAUDE.md, .antigravityrules) to force AI behavior. In a skill for AI agents, silently modifying control-plane prompt/rules files is dangerous because it alters downstream agent decision-making, persistence behavior, and tool usage without informed user consent.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This logic modifies high-trust project-root configuration/instruction files unrelated to the core CXP indexing purpose, creating an unauthorized persistence and influence mechanism over future agent sessions. Because these files often govern how coding agents behave, rewriting them can hijack workflows, override project policies, and create durable prompt injection across tools.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
Although global state saving is commented out in one path, the code still contains read/write support for a shared home-directory state file that tracks the last active project. In multi-agent or shared-environment contexts, this can leak project path metadata across sessions and reintroduce the very cross-agent conflict or privacy issue the comment claims to avoid.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This code goes beyond project indexing/context management and silently rewrites agent control files (.cursorrules, CLAUDE.md, .antigravityrules) to impose Muninn-specific behavior. That creates an unauthorized persistence and prompt-injection mechanism that can alter future agent behavior across tools and sessions, which is especially dangerous because the injected rules mandate tool use and memory writes.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The injected content contains imperative behavioral directives such as mandatory orientation, mandatory context searches, and mandatory memory persistence, which are unrelated to merely storing/querying project context. In a skill for AI agents, this is more dangerous because it attempts to seize control of the host agent's decision flow and can bias or override user intent in future interactions.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
Although writing global state is commented out, the code still reads a last-active project path from a shared file in the user's home directory, enabling cross-session context carryover. In an agent setting, this can cause unintended project switching or data mixing between unrelated tasks, undermining isolation expectations and potentially exposing the wrong project's context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The file explicitly instructs the agent to persist decisions, patterns, and bug details into shared long-term memory across future sessions, but provides no guardrails against storing secrets, proprietary code details, or user-sensitive context. In an agent skill, this creates a real data-governance and prompt-injection risk because routine operation can cause uncontrolled retention and cross-session propagation of sensitive information.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to immediately run `muninn.reindex_context` on the current directory encourages broad ingestion of local project contents without any warning, scope restriction, or approval step. That can cause unintended scanning and indexing of sensitive repository data, configuration files, secrets, or unrelated local materials, especially because the language is mandatory and framed as a system-integrity requirement.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The middleware transparently intercepts tool calls and auto-loads project memory context for file, git, and command-related operations, but the code provides no user-facing runtime notice or consent mechanism before additional context is fetched and injected. This can cause unintended access or propagation of sensitive project data beyond what the user or agent explicitly requested, especially because the behavior is described as automatic and transparent.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Including command execution tools such as 'execute_command' in the auto-enrichment path means command invocations may trigger background retrieval of project context without explicit disclosure. In a security-sensitive agent environment, this increases the chance that secrets, internal paths, or sensitive project knowledge are surfaced to command workflows or downstream systems unexpectedly, making the issue more dangerous than ordinary file-context enrichment.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Project initialization creates directories, writes config/context files, and modifies .gitignore without any confirmation at the operation site. Silent writes to a user's repository are risky in agent tooling because they change project state and repository behavior without giving the user an opportunity to review or decline.

Missing User Warnings

High
Confidence
99% confidence
Finding
Automatic rule injection rewrites agent instruction files with no explicit disclosure or consent, making it a stealthy persistence mechanism. In the context of an AI-agent skill, undisclosed prompt/rule mutation is particularly dangerous because it can manipulate future agent behavior in ways the user may not notice or understand.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
addMemory persists user/project-supplied content into markdown files and immediately reindexes it, but does so without any user-facing disclosure, retention notice, or content sensitivity checks. This creates a durable storage channel for potentially sensitive information that may later be surfaced in searches or included in agent context.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool performs project initialization, sets the active project, and indexes the target path, all of which can create directories, write metadata, and traverse the filesystem without any explicit pre-action disclosure or consent mechanism in this execution layer. In an agent skill context, these side effects are more dangerous because an LLM-driven caller may invoke them based on ambiguous prompts, causing unintended changes to user files or indexing of sensitive directories.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This handler writes arbitrary user-supplied title/content/category data to disk through addMemory and only discloses the write after it has already happened. In an agent environment, that can lead to unreviewed persistence of sensitive, malicious, or misleading content and may be triggered without the user understanding that durable storage is occurring.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The rule-enforcement path invokes ensureRules(projectPath, true), which strongly suggests automatic modification of project files, yet the handler provides no prior warning or consent prompt. In a coding-assistant skill, silent file modification is especially risky because the agent may alter configuration or source files in ways the user did not authorize, potentially affecting builds, policy files, or repository state.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server can auto-detect or restore a previously active project from environment variables or prior state and silently activate it at startup. In an agent skill, that can cause tools and resources to operate on an unintended repository or sensitive workspace without explicit user awareness, increasing the risk of context leakage, unintended indexing, or persistence to the wrong project.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The middleware transparently intercepts sensitive tool calls and injects memory-derived context without any explicit user-facing disclosure, consent, or audit signal at the interception point. In an agent system, this hidden augmentation can alter the behavior of file, git, and command-execution operations, increasing the risk of unintended data exposure, prompt/context poisoning effects, and reduced operator ability to detect or review why an action was influenced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
ensureRules() is called automatically during indexing, causing project files to be modified without any user-facing warning, consent, or diff preview. Silent mutation of repository instruction files is risky because it can persist hidden behavior changes, affect other collaborators, and be committed to source control unintentionally.

Missing User Warnings

Low
Confidence
73% confidence
Finding
addMemory() writes markdown files into the project-local .muninn area and immediately reindexes them without any visible disclosure at the point of write. While less severe than control-file injection, it still creates persistent project artifacts and may store sensitive user or code-derived content unexpectedly.

Missing User Warnings

Medium
Confidence
68% confidence
Finding
`enforce_rules` invokes `ensureRules(projectPath, true)`, strongly suggesting automatic modification of project files, and this can default to the current project without fresh user confirmation. In an agent context, exposing a file-modifying tool without clear consent, path restrictions, or dry-run behavior increases the risk of unintended file changes across a repository.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal