MindCore

Security checks across malware telemetry and agentic risk

Overview

MindCore is mostly an emotional-agent engine, but it ships with autonomous OpenClaw/Telegram delivery, a hard-coded messaging target, and writable control files that can persistently change behavior.

Review carefully before installing. Use only in a controlled local environment, remove the hard-coded Telegram target, disable the bridge and supervisor delivery path unless explicitly needed, and do not allow untrusted agents or users to write to output/ or data/ because those files can change behavior and trigger outbound messages.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (30)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: prompt_injection = layer4.get("system_prompt_injection", "") import subprocess # Let agent process impulse and get reply result = subprocess.run( [ "openclaw", "agent", "--agent", "main",
Confidence: 90% confidence
Finding: result = subprocess.run( [ "openclaw", "agent", "--agent", "main",

Lp3

Medium

Category: MCP Least Privilege
Confidence: 84% confidence
Finding: The skill advertises no explicit permissions while its documented behavior and associated components imply access to environment variables, file I/O, and shell execution. This creates a trust and review gap: operators may install it under the assumption it is low-risk, while it actually needs capabilities that can modify local state or invoke external commands.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The documented purpose frames the skill as a local, decoupled emotional engine, but the detected behavior includes external bridging, subprocess invocation, autonomous outbound messaging, command-file ingestion, and persistent runtime modification. That mismatch is dangerous because users may grant installation and execution based on a benign mental model while the skill can influence external systems, accept control inputs, and persist behavioral changes beyond what was disclosed.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The architecture explicitly outputs a `system_prompt_injection` string for an external OpenClaw agent and routes triggered impulses to Telegram, which contradicts the claim that the engine is fully decoupled from any LLM and only runs locally. This creates a documented prompt-injection/control channel into another agent and an outbound messaging path, increasing the risk of unsafe behavior shaping, hidden capability expansion, and exfiltration of internal state or generated content.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The documented supervisor behavior can push internally generated impulses to Telegram via `openclaw agent --deliver`, even though the stated purpose is a local emotional simulation engine. An unnecessary outbound delivery feature expands the attack surface and may leak behavioral state, sensitive context, or manipulated outputs to external channels without strong justification or user consent controls.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The guide explicitly tells the integrating agent to watch for impulse files and proactively initiate conversation, creating unsolicited user-facing behavior driven by random local signals rather than explicit user requests. In a skill framed as an emotional simulation engine, this expands behavior from passive state generation into autonomous prompting, which can surprise users, bypass consent expectations, and be abused to steer conversations without clear provenance.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The integration instructions include shell file mutation and inline Python execution capabilities that go beyond merely reading an emotional engine's outputs. Even though the commands are operationally relevant to the skill, embedding write/delete and arbitrary interpreter execution patterns increases the attack surface and can normalize broad agent permissions that may be repurposed unsafely in downstream integrations.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The README documents external command execution and Telegram-bound delivery as part of the integration path, which expands the trust boundary from a local mind engine to an autonomous outbound messaging pipeline. In an agent-skill context, this is dangerous because users may enable it expecting local-only behavior, while the bridge can trigger unsolicited external actions and exfiltrate generated content to third-party services.

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: The PM2 config launches a second service, `mind-bridge`, that connects the supposedly local-only emotion engine to an external OpenClaw/Telegram pathway. That materially contradicts the stated skill purpose and creates an undisclosed outbound communications capability, which could be used to transmit prompts, state, or other data off-host.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The environment variables `OPENCLAW_TARGET` and `OPENCLAW_COMMAND` add a ready-to-use outbound bridge to an external chat endpoint even though the skill is described as fully local and decoupled from external systems. In this context, hidden messaging capability is especially risky because operators may deploy the skill expecting no network egress or third-party interaction.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The supervisor proactively sends messages to an external agent/channel, even though the skill is described as a local emotional simulation engine. This materially expands the trust boundary from local CPU-only processing to autonomous outbound communication, which can surprise users and be abused for unsolicited messaging or data leakage.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The daemon watches for `config_cmd.json` and rewrites `engine/config.py` on disk based on LLM/chat-originated data, with no authentication, integrity check, bounds validation, or approval step. This gives an external control path persistent influence over runtime behavior and code/config state, which is unjustified by the stated purpose of an emotional simulation engine.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The reward command file allows external/LLM-originated feedback to alter the engine's learning behavior. Even if limited to known impulse names, this is still an unauthorized control surface that can bias or destabilize the model's behavior and is outside the declared local simulation scope.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The bridge sends autonomously generated content to Telegram/OpenClaw, which materially expands the skill from a local CPU-only emotional engine into an outbound messaging component. That creates an exfiltration and autonomous-action channel where internally generated prompts can trigger unsolicited external communications without clear user approval.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: The code launches an external subprocess using an environment-controlled command (`OPENCLAW_COMMAND`) to deliver messages. Even though `spawn` is used without a shell, this still grants the skill a powerful execution/integration capability unrelated to a local emotion engine and can be abused to invoke unexpected binaries or unauthorized messaging workflows.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The demo entry point directly rewrites persistent sensor and short-term memory JSON files as part of scenario setup, which creates hidden side effects beyond simple local simulation. This is dangerous because running the demo can silently alter future engine behavior, corrupt user state, or destroy prior data without consent or rollback, especially if these files are shared across sessions or other tools.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The package manifest claims the skill is fully decoupled from any LLM and runs locally, yet it declares the OpenAI client library as a dependency. This inconsistency is a supply-chain and transparency risk because it can enable undeclared remote model/API usage, telemetry, or future code paths that exfiltrate prompts or data despite user expectations of local-only operation.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: Automatically downloading a model on first run introduces undeclared network activity and supply-chain exposure. Even if the model is legitimate, silent retrieval can violate offline expectations, bypass review controls, and expose deployments to tampering, unexpected data egress, or operational policy violations.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The markdown tells the agent to speak up proactively 'like a real friend' whenever an impulse fires, but gives no warning that this is unsolicited behavior or that users should opt in. This is risky because it encourages hidden autonomous interaction patterns that can degrade trust, create social-engineering opportunities, and make the agent appear to act on its own motivations.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The guide includes direct file write and delete operations for runtime control without warning that these actions modify local state. In agent environments, normalizing raw mutation commands can lead to accidental or unauthorized state changes, especially if an agent interprets conversational cues too broadly or operates with filesystem permissions beyond this skill's directory.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The instructions tell the agent to modify sensor state and persist short-term memory after conversations, including social and emotional fields, without warning about storage of user-related state. This is dangerous because it can silently accumulate behavioral, emotional, or interaction metadata about users, creating privacy, consent, and retention risks beyond what a user may expect from a local emotional engine.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: Autonomous Telegram delivery without an explicit warning about unsolicited outbound communication and data flow creates a real safety issue. Because the skill is specifically designed to generate spontaneous impulses, the context increases risk: it can cause an attached agent to send unprompted messages to external recipients, potentially leaking sensitive context or creating abusive/spam-like behavior.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly describes a bridge that watches the output directory and automatically invokes `openclaw agent --deliver` to inject generated content into an agent and send it to Telegram. That creates autonomous external message transmission without prominent consent, approval, rate-limiting, or safety warnings, which can lead to unintended outbound messaging, privacy leakage, or spammy behavior if deployed as documented.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: A hard-coded external target identifier embeds a specific messaging destination directly in the shipped configuration, enabling immediate communication to that endpoint without user review. This creates a covert-routing risk and makes it easier for data or agent outputs to be forwarded to an unexpected third party.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: On startup, the daemon deletes all `.json` files in `OUTPUT_DIR` without confirmation or ownership checks. This can destroy unrelated data if the directory is shared, misconfigured, or attacker-influenced, creating avoidable integrity and availability risk.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal