ClawHub
Back to plugin

Security audit

credence-pi

Security checks across malware telemetry and agentic risk

Overview

This governance plugin is coherent, but it sends and logs sensitive agent tool data by default, so users should review its privacy and control settings before installing.

Install only if you are comfortable with a local governance daemon observing all agent tool proposals and model usage. Before enabling it, set redactToolInputs to true unless you explicitly need raw tool inputs in the daemon log, keep daemonUrl bound to localhost or a trusted endpoint, and plan how ~/.credence-pi/observations.jsonl will be protected, rotated, or deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (7)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README states that the daemon logs proposed tool-call inputs by default, including commands and paths, and notes these can carry secrets. Default collection of potentially sensitive agent inputs creates a confidentiality risk because operators may deploy the plugin before noticing or understanding the privacy implication, and those logs may persist in ~/.credence-pi/observations.jsonl or be exposed through backups, local compromise, or support sharing. In this context, the plugin sits directly in the tool-execution path, so the logged data can include highly sensitive prompts, shell commands, file paths, and secret-bearing arguments.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The plugin sends tool proposal data, session identifiers, and optionally raw tool inputs to an external daemon for governance decisions. Even though the daemon defaults to localhost and input redaction is configurable, this file provides no enforced consent, no mandatory disclosure, and no hard restriction against configuring a remote daemon, so sensitive prompts, commands, paths, or tokens may be exfiltrated to another service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The plugin posts tool completion metadata and per-turn model usage/cost telemetry to the daemon, creating a continuous record of agent behavior and model activity outside the host. While result summaries are nulled, error fields, session IDs, timing, model names, token counts, and cost data can still reveal sensitive operational details, and there is no explicit disclosure or consent mechanism here.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The plugin transmits tool-call metadata, session identifiers, extracted features, and optionally raw tool inputs to a remote daemon without any direct in-file user-facing disclosure or consent flow. Because tool parameters may contain secrets, commands, file paths, or sensitive prompts, this creates a real privacy and data-exfiltration risk, especially when redactToolInputs is disabled by default or not clearly surfaced.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Tool results and errors are posted to the daemon after execution, and those outputs can easily include secrets, credentials, proprietary data, file contents, or stack traces. Sending them off-process without clear disclosure or minimization expands the trust boundary and can leak sensitive runtime data to the daemon operator or any system monitoring that daemon traffic.

Missing User Warnings

Low
Confidence
83% confidence
Finding
Conversation-derived usage and cost telemetry is sent to the daemon, including model and token/cost information, without direct user-facing disclosure in this file. While less sensitive than raw tool inputs or results, this still leaks behavioral and potentially business-sensitive metadata about user activity, prompts, and model usage patterns.

Ssd 3

Medium
Confidence
88% confidence
Finding
The session summary logs include aggregate spend, blocked calls, denied approvals, and shadow-mode governance statistics in plain language. In environments where plugin logs are accessible to operators, shared consoles, CI systems, or centralized logging backends, this can expose sensitive behavioral information about user activity and decision-making beyond the immediate agent session.

VirusTotal

60/60 vendors flagged this plugin as clean.

View on VirusTotal