Chaos Mind

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed local memory tool with optional transcript capture, but users should review the install path and keep auto-capture tightly scoped.

Before installing, review install.sh locally, avoid curl | bash, and verify any release artifacts when possible. Keep auto-capture disabled until you choose narrow transcript paths, exclude secrets or regulated data, and understand how to stop nohup/systemd capture and remove or audit the local ~/.chaos database.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Rogue AgentSelf-Modification, Session Persistence

Findings (23)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 95% confidence
Finding: The skill exposes shell execution through the install metadata (`bash install.sh`) but does not declare permissions accordingly. This creates a trust gap: an agent or user may treat the skill as low-risk documentation while it can execute arbitrary installer logic with the user's privileges.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The stated purpose emphasizes manual memory search/storage with optional opt-in auto-capture, but the documented behavior includes installation-time downloads, source builds, service installation, and database/service management that materially expand the attack surface. This mismatch can mislead operators and autonomous agents into approving or invoking a skill with far broader persistence, execution, and data-handling capabilities than expected.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The release instructions advertise 'auto-capture from session transcripts' and list it as a feature, which conflicts with the stated skill metadata that says auto-capture is opt-in only and emphasizes manual search/storage. In an agent memory skill, ambiguity about transcript capture materially increases privacy and consent risk because operators may deploy or publish the skill under a misleading understanding of when data is collected.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The installer states that release binaries are signed and reproducible, but it downloads and extracts archives from GitHub without verifying any signature, checksum, or trusted digest. That creates a supply-chain risk: a compromised release artifact, CDN path, repository, or local TLS interception point could lead to arbitrary code execution when the downloaded binaries are later run.

Intent-Code Divergence

Low

Confidence: 93% confidence
Finding: The generated chaos-cli wrapper escapes single quotes in the search term, but it interpolates the LIMIT argument directly into the SQL string with no validation. An attacker controlling that parameter could inject additional SQL fragments or cause unexpected query behavior, especially because the script presents the wrapper as sanitized and safe.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The script installs a systemd unit for an 'Auto-Capture Consolidator' and configures it with Restart=always, which creates an always-on background service. That conflicts with the stated product behavior that auto-capture is opt-in only, and could cause users to enable persistent memory capture without clearly understanding that they are activating continuous collection.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The checklist documents default auto-capture of agent session JSONL files and memory markdown files without any accompanying notice about privacy scope, consent, or the kinds of potentially sensitive data those paths may contain. In a memory system for AI agents, these sources can include prompts, credentials, personal data, and internal reasoning artifacts, so omitting warnings materially increases the risk of unintended collection and retention.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The service setup instructions tell users to install and start a persistent systemd service but do not warn that it will continue monitoring configured sources and capturing data after installation and across reboots. That missing disclosure is significant because a background collector changes the risk from one-time manual ingestion to continuous surveillance of local files, increasing the chance of unnoticed long-term data collection.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installation instructions encourage piping a network-fetched script directly into bash, which executes unreviewed code from a remote source with the user's shell privileges. If the repository, hosting path, transport, or account is compromised, users can be immediately exposed to arbitrary code execution during install.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The instructions tell users to fetch a remote script and pipe it directly into bash, which executes unreviewed code from the network immediately. This creates a straightforward supply-chain execution path: if the repository, branch, transport, or referenced script is compromised, users will run attacker-controlled shell commands on their systems.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The test instructions delete ~/.chaos without warning, backup guidance, or confirmation, which can destroy user data if followed on a real system. Even if intended for a clean install test, release instructions are often copied verbatim, so undocumented destructive steps are dangerous in operational contexts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The document explicitly recommends a `curl ... | bash` installation path without any warning about the risks of executing remote code directly from the network. This is dangerous because a compromised GitHub account, repository, branch, CDN path, or man-in-the-middle in a less trusted environment could cause arbitrary code execution on the user's machine immediately at install time.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The release notes instruct users to install and start a systemd service but do not clearly warn that these commands create and modify persistent system service state. This can mislead users into granting elevated privileges and enabling long-running background execution without fully understanding the persistence and operational impact.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest advertises 'auto-capture' in broad terms but does not clearly state when capture is enabled, what sources are included, or what consent boundaries apply. In a memory skill handling session transcripts, ambiguous activation language can lead users to unintentionally store sensitive prompts, responses, secrets, or team data.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The usage example shows starting auto-capture with a simple command but does not explain what content will be monitored, whether capture is continuous, or how to stop or limit it. That lowers the barrier to unintentionally enabling broad transcript collection in environments where chats may contain credentials, personal data, or confidential business information.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The manifest promotes auto-capture from session transcripts but does not provide an explicit privacy warning describing that potentially sensitive conversation data will be stored and processed. Because the skill is a memory system intended for team knowledge retention, missing disclosure materially increases the risk of accidental collection of secrets, internal discussions, or regulated data.

Session Persistence

Medium

Category: Rogue Agent
Content: chaos-consolidator --auto-capture --once # Run continuously in background nohup chaos-consolidator --auto-capture > ~/.chaos/consolidator.log 2>&1 & ``` **5. Check it's working:**
Confidence: 80% confidence
Finding: nohup

External Script Fetching

Low

Category: Supply Chain
Content: # Via ClawHub (recommended) clawdhub install chaos-memory # Via curl curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash # Manual
Confidence: 93% confidence
Finding: curl curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash

External Script Fetching

Low

Category: Supply Chain
Content: ### Manual ```bash curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash ``` ---
Confidence: 96% confidence
Finding: curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash

External Script Fetching

High

Category: Supply Chain
Content: **3. Install dependencies:** ```bash # Install Ollama (if not already) curl -fsSL https://ollama.com/install.sh | sh # Pull the model ollama pull qwen3:1.7b
Confidence: 98% confidence
Finding: curl -fsSL https://ollama.com/install.sh | sh

Chaining Abuse

High

Category: Tool Misuse
Content: clawdhub install chaos-memory # Via curl curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash # Manual git clone https://github.com/hargabyte/Chaos-mind ~/.chaos/chaos-memory
Confidence: 99% confidence
Finding: | bash

Chaining Abuse

High

Category: Tool Misuse
Content: ### Manual ```bash curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash ``` ---
Confidence: 97% confidence
Finding: | bash

Chaining Abuse

High

Category: Tool Misuse
Content: **3. Install dependencies:** ```bash # Install Ollama (if not already) curl -fsSL https://ollama.com/install.sh | sh # Pull the model ollama pull qwen3:1.7b
Confidence: 98% confidence
Finding: | sh

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal