Fulcra Dashboard

Security checks across malware telemetry and agentic risk

Overview

This dashboard skill has useful Fulcra visualization behavior, but it also exposes sensitive agent memory and local backend capabilities with weak scoping and publication safeguards.

Install only if you are comfortable with a local dashboard that can access Fulcra data and agent memory paths. Before using it, remove or lock down the Agent Vault download endpoint, bind the server to 127.0.0.1, avoid connecting the chat envoy to the main agent session, and do not publish to GitHub Pages until you have reviewed and redacted every generated data file.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (21)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: # the filename should be like "agent/treecle/memory/top_of_mind.md" # so we download it to a temp path then read and serve it tmp_path = f"/tmp/{os.path.basename(filename)}" subprocess.run(["uv", "tool", "run", "fulcra-api", "file", "download", filename, tmp_path], check=True, capture_output=True) with open(tmp_path, 'rb') as f: content = f.read()
Confidence: 93% confidence
Finding: subprocess.run(["uv", "tool", "run", "fulcra-api", "file", "download", filename, tmp_path], check=True, capture_output=True)

Description-Behavior Mismatch

Medium

Confidence: 89% confidence
Finding: A skill framed as a local dashboard builder also instructs the agent to publish the output to a public GitHub repository and GitHub Pages. That expansion in scope increases the chance that private Fulcra data will be exposed externally, especially if users infer the workflow remains local-only.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The advanced modification instructs the server to forward dashboard chat input into the main OpenClaw session via subprocess. This creates a cross-context bridge from untrusted web input into a privileged agent session, enabling prompt injection, session manipulation, data leakage, or unintended agent actions.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: The skill includes checking for GitHub CLI, installing/authenticating it, and creating remote repositories, which exceeds what is necessary for dashboard visualization. This broadens the operational surface and may lead to credential use, unintended remote publication, or repository creation without adequate privacy review.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script embeds agent directives that expand behavior beyond local dashboard scaffolding into external API access, local server execution, and optional publication to GitHub Pages. In an agent setting, these instructions can drive unnecessary network access, data exfiltration, or unintended repo publication that is not required by the stated skill purpose of building a local HTML dashboard.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The file implements an interactive chat client and relay integration even though the skill is described as a single-file dashboard for Fulcra visualization. This expands the skill's capabilities beyond its declared purpose and creates an unnecessary data-flow path for user input to be transmitted to a backend, which increases attack surface and user surprise.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The code automatically performs local API requests to /api/chat to retrieve message history or a greeting from a Python relay/OpenClaw backend. For a dashboard-only skill, this is unjustified network behavior and may expose local services, leak dashboard context, or normalize hidden backend interaction without a clear security boundary.

Intent-Code Divergence

Low

Confidence: 79% confidence
Finding: The comment indicates the local Python server may simulate responses or route data to OpenClaw, which contradicts the dashboard-only description and suggests hidden agent/back-end behavior. While a comment alone is not executable, it is strong evidence that the implemented feature set includes undeclared external processing of user content.

Description-Behavior Mismatch

High

Confidence: 99% confidence
Finding: The dashboard registers global error and unhandled promise rejection handlers that automatically POST runtime details to /api/chat, which is unrelated to rendering a visualization dashboard. In this skill context, adding a covert communication path to a chat endpoint is highly suspicious because it can exfiltrate internal state, errors, and potentially sensitive data without user action or disclosure.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The template embeds an interactive chat UI backed by chatEnvoy() and a send action, introducing a backend relay capability unrelated to the stated purpose of visualizing Fulcra data. In a visualization-only skill, this creates an unnecessary command-and-control style channel that could be used to transmit data off-dashboard or interact with privileged backend services.

Context-Inappropriate Capability

High

Confidence: 100% confidence
Finding: The dashboard exposes direct download links to agent memory artifacts such as memory.gz and top_of_mind.md, which are unrelated to dashboard presentation and likely contain sensitive internal state. In this context, surfacing agent memory through clickable links is a direct data exposure path that could leak secrets, prompts, reasoning traces, or other confidential operational data.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is described as a single-file dashboard renderer, but this code adds a backend API that can fetch files via an external Fulcra CLI. That materially expands the trust boundary and gives remote users access to capabilities unrelated to simple visualization, increasing the risk of unauthorized data access.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: Launching `uv tool run fulcra-api` from an HTTP request handler introduces a powerful external execution path not obviously required for serving a dashboard. Even if intended for convenience, it increases attack surface and enables remote triggering of privileged local tooling through the web server.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The comments describe `/api/chat` as local-only, but the server later binds to `('', PORT)`, exposing it on all interfaces by default. This mismatch can lead operators to assume the endpoint is only accessible locally when in fact any reachable host may interact with it and read chat history.

Intent-Code Divergence

Medium

Confidence: 98% confidence
Finding: The POST chat functionality is labeled local-only, but the server configuration exposes the endpoint beyond localhost. This creates an unnecessary remote interface that permits anyone with network reachability to inject messages into in-memory state and interact with backend logic.

Description-Behavior Mismatch

Low

Confidence: 96% confidence
Finding: The CSS imports Google Fonts from a third-party domain, which causes the browser to make an external network request whenever the dashboard is loaded. In a skill described as producing a single-file/local dashboard, this undermines offline/local-only expectations and leaks user metadata such as IP address, user agent, timing, and referrer context to an external service.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The instructions encourage publishing a GitHub Pages site containing Fulcra-derived content without a clear warning that personal data may become publicly accessible. Given the skill also pulls user annotations, summaries, and potentially agent-related data, accidental disclosure risk is substantial.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: User-entered chat messages are transmitted to a local API endpoint without any visible warning, consent prompt, or disclosure in this code path. In the context of a visualization skill, this is especially problematic because users would not reasonably expect free-form text they enter to be sent to a relay service, potentially exposing sensitive information.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: Automatic error reporting sends runtime information to /api/chat with no user notice, consent, or indication that a chat endpoint is being used for telemetry. Even if intended for debugging, this can disclose sensitive values embedded in error messages and creates an opaque data flow inconsistent with a local dashboard experience.

Missing User Warnings

Low

Confidence: 94% confidence
Finding: The external font import sends user/browser requests to Google without any disclosure in this file, creating an unnecessary privacy leak. While not a code-execution issue, it violates expectations for a self-contained dashboard and can expose usage patterns and environment metadata to a third party.

Ssd 3

High

Confidence: 98% confidence
Finding: The workflow directs the agent to inspect memory backup files and summarize real user data into dashboard content. This increases exposure of sensitive personal or agent-memory information and can propagate private details into generated artifacts, local files, or even public deployments.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal