ClawHub

Ai Mother

Security checks across malware telemetry and agentic risk

Overview

This skill mostly matches its AI-supervisor purpose, but it has broad control over other agents, persistent monitoring, sensitive session access, and inconsistent approval boundaries.

Install only if you want a persistent supervisor that can inspect AI sessions, send inputs to running agents, create cron patrols, and notify you through Feishu. Review the cron jobs, Feishu recipient, conversation logs, and process-control scripts first, and avoid using broad auto-heal or duplicate cleanup in sensitive workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill contains materially conflicting safety guidance: one section says auto-heal may automatically resume stopped processes, while a later section says it will never do so without owner approval. In a supervisory skill that can act on live agent processes, this inconsistency can cause unauthorized state changes and unsafe automation because implementers or downstream agents may follow the more permissive instruction.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The safety rules explicitly classify 'resume stopped processes' as requiring no approval, but later guarantees say the opposite. Because this skill is designed to manage other agents autonomously, contradictory approval boundaries are dangerous: they weaken operator expectations and may cause a supervisory agent to resume suspended jobs without authorization.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
This is a true vulnerability because the script claims to perform owner approval for resuming stopped agents, but it resumes the target process immediately and only sends a notification afterward. That creates a trust and authorization gap: an operator may believe human approval is enforced when in reality any caller able to invoke this script can restart a stopped AI agent without prior confirmation.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The header advertises 'safe auto-healing with user intent detection', but the script later sends input to live AI sessions automatically, including Enter, 'yes', and status prompts, without explicit real-time user approval. This mismatch is dangerous because operators may trust the script's safety guarantees and deploy it in sensitive workflows where automated confirmation can advance actions the user did not authorize.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The script `source`s each `.state` file before deciding whether to delete it, which executes arbitrary shell code contained in that file in the current shell context. If an attacker can write or tamper with files under the conversations directory, they can achieve code execution simply by waiting for cleanup to process a dead PID, making the misleading comment especially dangerous because it hides that this is not a passive parse operation.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
This script takes an arbitrary PID, resolves its controlling TTY, and writes attacker-controlled text directly into that terminal. That permits unsolicited command/input injection into any interactive process the caller can access, which is broader and riskier than a narrowly scoped 'message Claude' helper because the script does not verify the target process identity, session ownership, or allowed message content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The setup flow presents AI Mother as a monitoring/patrol tool, but the HEARTBEAT instructions appended by the script direct automatic healing actions on affected PIDs. That expands the skill from passive monitoring into autonomous remediation without clear upfront disclosure or explicit consent, which can lead to unintended actions against running agents or services.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
This script is designed to interact with another live process by discovering its working directory, locating Claude session files, and then reading session data from disk to verify whether injected input was processed. Even if intended for testing, it crosses process boundaries and exposes potentially sensitive conversation content and metadata without any access control, confirmation, or scoping safeguards.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly says AI Mother forwards the exact permission prompt to Feishu and sends the owner's reply back exactly as typed. Permission prompts can contain sensitive file paths, command details, secrets in context, or operational metadata, and the documentation does not clearly warn users that this content leaves the local terminal and is transmitted through Feishu.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The permission-response format accepts virtually any reply text alongside a PID, creating an ambiguous command surface where casual text or malformed inputs may be interpreted as approval instructions. In context, this can directly influence another AI's permissions or execution flow, so ambiguity materially raises the risk of accidental or spoofed authorization.

Vague Triggers

High
Confidence
97% confidence
Finding
The permission-response format accepts virtually any reply text alongside a PID, creating an ambiguous command surface where casual text or malformed inputs may be interpreted as approval instructions. In context, this can directly influence another AI's permissions or execution flow, so ambiguity materially raises the risk of accidental or spoofed authorization.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises automatic duplicate-cleanup capability without clearly warning that cleanup may terminate processes or alter active work. In a multi-agent supervisor, 'duplicates' can be misidentified, and automatic cleanup can disrupt legitimate tasks or destroy in-memory context.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The reference guide explicitly documents running Claude with `--permission-mode bypassPermissions` but does not place any immediate warning рядом with the command about the security implications. In a skill intended to guide an agent operator, this normalizes disabling safeguards and can lead to unauthorized file access or unsafe actions being approved without proper review.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guide includes `codex --yolo exec 'task'` as a normal reference command without an adjacent warning that it enables autonomous execution/auto-approval. Because this file is an operational reference for AI-agent handling, presenting YOLO mode as routine increases the chance that users run unreviewed actions that could modify files, leak data, or perform destructive operations.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The report prints each agent's project working directory and task description directly to stdout, which can expose sensitive filesystem paths, project names, and potentially confidential task content to anyone with terminal access, logs, or redirected output. In an analytics tool this may be expected behavior, but there is no redaction, warning, or access control, so the disclosure is still a real information exposure issue.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
This block auto-sends affirmative input to another running AI process based on heuristic matching of recent output, treating words like 'read', 'view', or 'analyze' as proof the action is safe. That is unreliable: a malicious or confused agent can phrase a destructive or privilege-affecting action as a benign review step, and the script will advance execution without the owner's informed consent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script unconditionally prints the last 15 lines of tmux content for debugging, which can expose sensitive session data such as prompts, secrets, file paths, or user decisions. Because tmux panes often contain interactive agent context and permission prompts, this creates an information disclosure risk even if the script's primary purpose is benign.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script intentionally reads and prints local AI conversation/session data from per-user JSONL, JSON, and SQLite stores, which can expose prompts, tool inputs, secrets, internal code, and error details. In an agent-skill context, this is more dangerous because it is purpose-built to harvest contextual data from other AI tools and display it without consent, minimization, or access warnings.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script enumerates recent file changes, git status/history, open files, and recent log contents for the target process working directory, which can disclose proprietary source files, credentials in logs, filenames, branch activity, and other sensitive operational context. Within a skill setting, this broad host introspection materially increases risk because it aggregates unrelated local data into one exfiltration-friendly output stream.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script automatically invokes the auto-heal helper on every PID flagged by patrol, without prompting the user or clearly warning that corrective actions may change process, agent, or system state. In a health-check context, users may reasonably expect read-only diagnostics, so implicit remediation increases the risk of unintended state changes, service disruption, or misuse if upstream output is inaccurate or manipulated.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script sends a test message to Feishu using the supplied open_id immediately after setup without obtaining explicit consent for that network action. In a skill context, unexpected outbound messaging can leak identifiers, create privacy concerns, and normalize silent external communication by installed automation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script automatically creates a recurring cron job that will continue sending patrol-related activity/messages without a dedicated opt-in for scheduled background behavior. Persistent automation materially changes the system's behavior and can generate ongoing external communications or operational actions long after setup, making this a meaningful consent and safety issue.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes arbitrary attacker-controlled text directly into /proc/<PID>/fd/0, which injects input into another running process without authentication, confirmation, or validation that the process is in a safe state. In the context of an AI agent or interactive CLI, this can alter behavior, trigger unintended actions, poison state, or cause the target to execute follow-on operations based on the injected prompt.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script logs raw conversation messages to a per-PID file under ~/.openclaw/skills/ai-mother/conversations without any notice, consent check, redaction, or access-control handling. Because these messages may contain prompts, secrets, credentials, personal data, or proprietary context, silent persistence creates a meaningful privacy and data-exposure risk if local files are later accessed by other users, processes, backups, or support tooling.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
On escalation, the script forwards the recent conversation plus process metadata such as PID, inferred binary name, and working directory to another script, again without explicit warning or any filtering of sensitive content. This increases exposure because secrets, internal paths, project names, and troubleshooting context may be transmitted beyond the local log and potentially delivered through external notification channels depending on notify-owner.sh behavior.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal