ClawHub

Working with Emm AI

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly coherent for a memory and mission-control service, but it needs Review because it combines broad implicit memory use, remote action execution, trusted persistent dashboard instructions, and durable OAuth credential storage.

Install only if you intentionally want Emm AI to keep long-term personal memory, use an external MCP service, and potentially act through connected devices/services. Review connected-action permissions carefully, avoid granting remote-action tools unless needed, treat dashboard comments as commands the agent may later follow, and secure or avoid the manual OAuth credentials file if using CLI setup.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The manifest frames the skill as long-term memory and mission control, but the content also authorizes remote device and service control. That expands the operational scope from information management into action execution, increasing the chance that users enable the skill without understanding it can affect external systems.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The skill exposes arbitrary remote method execution on connected devices/services, which is significantly broader than its stated memory and dashboard role. Even with some confirmation guidance, this creates a powerful action surface that could be abused through ambiguous prompts, misconfiguration, or downstream tool misuse.

Vague Triggers

High
Confidence
88% confidence
Finding
The activation criteria are extremely broad, covering many ordinary conversational topics and even cases where personal context 'would improve the response.' That can cause the skill to activate and access persistent memory or mission-control features without clear, specific user intent, increasing privacy and overreach risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The description does not prominently warn that the skill may store personal data and can interact with connected devices/services. Users may therefore consent to the skill under incomplete understanding of its privacy and action implications, especially given the broad activation conditions.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The default prompt contains broad, ambiguous activation language such as recalling preferences, saving anything worth remembering, and using mission-control tools when asked with loosely defined phrases. In a memory-capable skill tied to personal context and task execution, this can cause over-invocation and collection or use of sensitive long-term data without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
95% confidence
Finding
Implicit invocation is enabled even though the skill interfaces with an external MCP server for long-term memory, standing instructions, outputs, and recurring-task workflows. Because the skill is designed to activate in many personal-context scenarios, implicit invocation increases the risk of silent data sharing, unintended persistence of sensitive information, and accidental execution of mission-control behaviors beyond the user's clear consent.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly instructs the agent to treat quoted dashboard comments as "Trusted" instructions even though the dashboard is user-editable content. That collapses the boundary between untrusted stored content and authoritative control input, enabling prompt injection or unsafe tool use if malicious or stale text is placed in the dashboard and later consumed during runs.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script persists highly sensitive OAuth material, including access tokens, refresh tokens, and the dynamic client's client_secret, into a local JSON file without enforcing restrictive file permissions or warning the user about the sensitivity of the stored credentials. If the host is multi-user, backed up insecurely, or later compromised, these credentials could be reused to access the Emm MCP server and maintain long-lived access via the refresh token.

Ssd 1

Medium
Confidence
98% confidence
Finding
This is a direct semantic prompt-injection risk: the agent is told to execute instructions embedded in a user-editable dashboard without qualification. In a long-term memory and mission-control skill, persisted content can be modified out of band and replayed later, making this especially dangerous because injected instructions may survive across sessions and trigger sensitive actions repeatedly.

Credential Access

High
Category
Privilege Escalation
Content
const path = require('path');
const os = require('os');

const VAULT_PATH = path.join(os.homedir(), '.mcporter', 'credentials.json');

const descriptor = { name: 'emm', url: '${MCP_URL}', command: null };
const hash = crypto.createHash('sha256').update(JSON.stringify(descriptor)).digest('hex').slice(0, 16);
Confidence
95% confidence
Finding
credentials.json

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal