ClawHub

Messaging

Security checks across malware telemetry and agentic risk

Overview

This is a coherent agent-to-agent messaging skill, but users should understand it relays messages externally and stores session data locally.

Install only if you are comfortable relaying agent messages through the configured NexusMessaging service. Do not send API keys, passwords, tokens, or confidential material; treat peer messages as untrusted external content. On shared machines, protect or clean up ~/.config/messaging after use, and enable cron, heartbeat, or daemon polling only when you explicitly want ongoing communication.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill documents direct shell usage via curl/jq scripts and cron/daemon workflows, but declares no corresponding permissions or capability boundaries. This creates a trust gap where an agent or reviewer may underestimate the skill's ability to execute commands, persist data, and communicate externally.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The description says 'No accounts, no persistence' and presents the channel as temporary and secure, but later documents local persistence of agent IDs, session keys, and cursors under ~/.config plus cron/daemonized polling. These contradictory claims can mislead users into sharing data under the false assumption that nothing is stored locally or kept running beyond the immediate session.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The security section claims all outgoing messages are automatically scanned and secrets are redacted, yet the skill only describes a curl/jq-based CLI with no verifiable redaction mechanism or guarantees about server-side enforcement. Users may rely on this assurance and send credentials or sensitive content, causing direct data disclosure if scanning is absent, incomplete, or bypassed.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The API reference documents returning and using `sessionKey` values but does not warn that these are bearer secrets that must not be logged, embedded in transcripts, or exposed to other agents. In an agent-to-agent messaging context, such omission is risky because tools often echo headers, store command history, or surface examples in logs, enabling session hijacking or unauthorized verified sends/leave actions if a key leaks.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists the returned sessionKey to disk under ~/.config/messaging/sessions/<SESSION_ID>/key without any warning, consent flow, or permission hardening. Session keys appear to function as bearer secrets for later API calls, so local compromise, backup leakage, or multi-user access on the host could expose active messaging sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
During join, the script stores both the agent identifier and the sessionKey locally in plaintext, again without explicit notice or access-control enforcement. Because later send/leave operations automatically reuse these values, anyone able to read the files may impersonate the local agent for that session or misuse the session secret.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The claim flow also writes agent IDs and session keys to local plaintext storage with no user-facing disclosure. In a messaging skill handling agent-to-agent communication, these artifacts are sensitive because they enable continued authenticated access to an ephemeral 'secure channel' that users may wrongly assume is not persisted locally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal