ClawHub

Confidant

Security checks across malware telemetry and agentic risk

Overview

Confidant is purpose-built for secret handoff, but it needs review because its secret flow uses unpinned external tooling, optional public tunnels, and under-scoped secret output/storage paths.

Install only if you trust the @aiconnect/confidant and localtunnel packages and are comfortable with a local credential server. Prefer local-only use, avoid stdout mode, use scoped and revocable secrets, verify where each secret will be saved, avoid arbitrary paths unless necessary, and stop any tmux/server/tunnel processes after the handoff.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documented direct CLI commands expand the skill from a human-only secret handoff flow into agent-to-agent submission and direct secret retrieval. That broadens the attack surface significantly because an agent can bypass the claimed safeguards and programmatically fill, fetch, or inspect secrets, undermining the stated security model.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The file emphatically says agents cannot retrieve secrets themselves and must not access the URL, but later documents commands like `confidant get` and `confidant fill` that enable exactly that kind of direct handling. This contradiction is dangerous because it creates a false sense of safety while still advertising bypass paths an agent or attacker could use.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script can automatically expose the secret-submission endpoint to the public internet via localtunnel when --tunnel is used. In a credential handoff tool, expanding a localhost-only secret intake flow to a remotely reachable URL materially increases interception, phishing, and unauthorized submission risk, especially because the tool is specifically designed to collect sensitive credentials.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The helper auto-executes packages fetched via npx for both the confidant CLI and localtunnel, which means unpinned third-party code may be downloaded and run at secret-collection time. In a secret-handling workflow, this creates a supply-chain execution path in the same trust boundary as credential intake and storage, making compromise particularly dangerous.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The setup script installs localtunnel globally, which adds a tool specifically meant to expose local services to the public internet. For a skill whose stated purpose is secure secret handoff and credential setup, bundling inbound exposure capability is unnecessary for the core function and increases attack surface, especially if later workflows use it around localhost-based secret entry or callback flows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Allowing secrets to be printed to stdout is risky because stdout is commonly captured by agent logs, orchestration layers, transcripts, crash reports, or terminal scrollback. In a tool whose primary purpose is avoiding chat and history exposure, documenting stdout output without strong warnings materially increases the chance of secret leakage.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The advanced CLI examples include `fill`, `get-request`, and `get` operations that can submit or retrieve sensitive data directly, but they are presented without explicit sensitivity warnings or access-control caveats. That normalizes dangerous operations and makes misuse more likely, especially in agentic environments where commands may be copied verbatim into automated flows.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
After printing the share URL, the script delegates to the CLI to poll for the submitted secret and optionally save it to disk or export it to an environment variable, but the user is not given a prominent upfront warning at the moment of invocation about these side effects. For a credential setup tool, silent persistence of secrets increases the chance of mishandling, unintended retention, and leakage through filesystem permissions, backups, shell history, or downstream processes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script may automatically start external package execution and background subprocesses without a clear user-facing warning, including downloading executables via npx and launching a server process. In the context of a security-sensitive credential handoff utility, this reduces operator awareness and can lead to unintended exposure, unexpected network activity, and harder-to-audit behavior.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal