ClawHub
Back to skill

Security audit

Evez Firmament

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed microservice mesh, but it exposes unauthenticated network services with an eval-based assertion API and sensitive event/state inspection endpoints.

Review this carefully before installing. Run it only on a trusted local machine or behind a firewall, do not expose ports 9111-9118 to untrusted networks, avoid putting secrets or private text into requests, and treat the Terraform destroy target and invariance assertion API as administrative-risk surfaces that should be gated or removed before shared use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

eval() call detected

High
Category
Dangerous Code Execution
Content
"None": None, "round": round,
        }}
        safe_globals["state"] = state
        result = eval(expression, safe_globals, {})
        return bool(result), None
    except Exception as e:
        return False, str(e)
Confidence
98% confidence
Finding
result = eval(expression, safe_globals, {})

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The code explicitly labels the mechanism as 'Safely evaluate' while still using eval on untrusted input. That misleading safety assumption makes the issue more dangerous because operators may trust the endpoint and expose it more broadly, while attackers can still submit malicious or resource-intensive expressions for execution.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The service sends operational data to another HTTP endpoint (`localhost:9116/append`) even though its primary purpose is local audio transformation. This creates an undisclosed cross-service data flow and broadens the trust boundary; if the receiving service is compromised, misconfigured, or later changed to forward/store sensitive data, session activity can be collected without user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The Makefile exposes a destructive infrastructure operation via `terraform destroy -auto-approve`, which removes the interactive confirmation safety check. In a shared repo, CI context, or when invoked accidentally, this can rapidly destroy deployed resources without an additional human verification step.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
User-provided input sent to /pipeline or /system/SENSE is incorporated into the result object and then forwarded by spine_log to another HTTP service. That creates an undisclosed data flow of potentially sensitive user content to a secondary service, which is a real privacy and data-handling risk even though the destination is localhost.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The /state endpoint returns a snapshot of internal state that includes prior system outputs, and those outputs are derived from earlier user inputs; for example, SENSE stores raw inputs in its buffer and other systems reflect them in thoughts and logs. Exposing this over an unauthenticated HTTP endpoint can leak prior user data to anyone who can reach the service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The service automatically forwards internal observation and hypothesis metadata to another HTTP service without authentication, encryption, or any apparent disclosure/consent boundary. Even though the destination is localhost, this still creates an unnecessary cross-service data exposure path and can leak sensitive analytical context to any process able to bind, proxy, or monitor that endpoint.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The service exposes stored event contents over unauthenticated HTTP endpoints such as /project, /replay, and /events, allowing any network-reachable client to retrieve previously appended data. Because appended data is user-supplied and may contain operational or sensitive content, this creates an information disclosure risk, especially since the server binds to 0.0.0.0 and provides no access control, transport protection, or warning about remote retrieval.

Missing User Warnings

Low
Confidence
87% confidence
Finding
POST /state allows any client to arbitrarily mutate global in-memory service state without authentication or validation. An attacker can corrupt the basis for invariant evaluation, force false passes/failures, trigger misleading audits, or destabilize dependent logic; in this service, that undermines the integrity of the entire verification function.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Telemetry is posted to a separate service without any visible disclosure, consent, or policy controls. Even though the current payload is limited to domain/action/session metadata, hidden telemetry is a privacy and security concern because it can be expanded over time and silently expose user interaction patterns.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The /heal endpoint is exposed without any authentication or authorization and triggers outbound network actions against internal services. An attacker who can reach port 9117 can invoke repeated heal attempts against any listed service, causing unintended state changes, noisy internal traffic, or abuse of service-specific POST /health behavior if any sibling interprets that request as an action.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal