Back to skill

Security audit

Chaos Mind

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed local memory tool; its optional transcript capture and background service are privacy-sensitive but not hidden or enabled by default.

Before installing, review install.sh and avoid curl | bash when possible. Keep auto-capture off unless you intentionally choose narrow transcript paths, exclude secrets or regulated data, and understand how to stop any nohup/systemd background process and audit or delete the local ~/.chaos database.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (24)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill metadata exposes a shell-based installer (`bash install.sh`) but does not declare corresponding permissions or clearly surface that command execution is required. This creates a trust and transparency gap: users or agent platforms may treat the skill as lower-risk than it is, while installation can run arbitrary repository-controlled shell commands with the user's privileges.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The release text advertises 'auto-capture' as a product feature even though the skill metadata says auto-capture is opt-in only. In a memory system for AI agents, misrepresenting capture behavior can cause operators to deploy it with incorrect privacy expectations, potentially leading to unintended collection of session transcripts or sensitive data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The manifest conflicts with the stated skill context by prominently advertising 'auto-capture' and 'session transcripts' while the skill metadata says auto-capture is opt-in only/manual by default. This mismatch can mislead users and integrators about when transcript data is collected, increasing the risk of unintended collection of sensitive conversational data.

Description-Behavior Mismatch

Low
Confidence
87% confidence
Finding
The usage section presents starting auto-capture as a normal operational example without any warning, consent note, or indication that it is a special opt-in mode. In a memory skill handling session transcripts, normalizing capture behavior can cause operators to enable surveillance-like functionality without understanding privacy implications.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The generated chaos-cli script only escapes single quotes in the search string, but it directly interpolates the LIMIT parameter into the SQL query without validation. An attacker who can control that argument may inject additional SQL fragments or alter query behavior, undermining the claimed SQL injection protection.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The script installs a persistent systemd unit for an 'Auto-Capture Consolidator', which conflicts with the stated skill behavior that auto-capture is opt-in only. This can mislead users into setting up always-on background collection and processing they may not expect, increasing privacy and persistence risk.

Intent-Code Divergence

Low
Confidence
73% confidence
Finding
The file header describes a generic systemd setup script, but the resulting unit is specifically for an auto-capture consolidator. This mismatch reduces transparency and can cause an operator to authorize persistent behavior without understanding the specific function being installed.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The checklist documents default auto-capture glob patterns that target agent session logs and memory files, which commonly contain prompts, credentials, personal data, and other sensitive content, but provides no privacy warning or consent guidance. In the context of a memory-ingestion skill, this increases the risk of unintentionally collecting and persisting sensitive local data beyond what the user expects.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The service setup instructions tell users to install and start a systemd unit but do not clearly warn that the consolidator will run continuously in the background and keep processing matched files over time. For a tool that scans local session artifacts, persistent background execution materially raises the chance of ongoing unintended collection and storage of sensitive information.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation notes instruct users to download and immediately execute a remote shell script via `curl ... | bash`, which bypasses review, integrity verification, and change control. If the GitHub account, repository, branch, or network path is compromised, arbitrary code would run on the user's system during installation.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The auto-capture configuration encourages ingesting chat session logs and workspace files into a memory system without any privacy, consent, or secret-handling warning. This can cause sensitive conversations, credentials, tokens, proprietary content, or personal data to be indexed and retained unintentionally.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The README instructs users to pipe a remotely fetched script directly into bash, which prevents review of the script before execution and creates a supply-chain/code-execution risk. If the upstream URL, repository, or transport path is compromised, users could execute arbitrary code on their systems immediately during installation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The dependency setup also uses a remote shell installer piped directly to sh for Ollama installation, introducing the same arbitrary code execution and supply-chain compromise risk. The surrounding text discusses functionality, not a prominent warning, so users may follow the command without understanding they are executing unreviewed remote code.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documentation tells users to execute a remote script directly via 'curl ... | bash', which removes an opportunity to inspect the script before execution and makes users trust whatever content is served at that URL at install time. If the repository, branch, or delivery path is compromised, this becomes an easy remote code execution path on the user's machine.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The test instructions include 'rm -rf ~/.chaos' without warning that it deletes local state. In a memory product, that directory likely contains stored memories, configuration, or other user data, so blindly following the step can cause destructive data loss.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The document explicitly recommends `curl ... | bash`, which causes users to execute shell code fetched from the network without inspecting or verifying it first. If the GitHub account, repository, branch, DNS/TLS path, or hosting content is compromised, the installer can run arbitrary commands on the user's machine immediately.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The manifest describes auto-capture from session transcripts but does not define the trigger, scope, or guardrails for activation. For a system processing conversational history, unclear activation constraints create a real risk of over-collection, accidental retention, or deployment in environments where users assume manual-only behavior.

Missing User Warnings

High
Confidence
97% confidence
Finding
The manifest advertises automatic transcript capture but does not include a clear warning that sensitive session content may be recorded and stored locally. Because transcripts often contain secrets, internal discussions, credentials, or personal data, absence of an explicit warning materially increases the chance of unsafe deployment and privacy violations.

Session Persistence

Medium
Category
Rogue Agent
Content
echo ""
echo "Next steps:"
echo "  1. Review the service file: sudo nano $SERVICE_FILE"
echo "  2. Enable service: sudo systemctl enable $SERVICE_NAME"
echo "  3. Start service: sudo systemctl start $SERVICE_NAME"
echo "  4. Check status: sudo systemctl status $SERVICE_NAME"
echo "  5. View logs: sudo journalctl -u $SERVICE_NAME -f"
Confidence
86% confidence
Finding
systemctl enable

Session Persistence

Medium
Category
Rogue Agent
Content
USER=$(whoami)
HOME_PATH=$(eval echo ~)

# Create service file from template
echo "Creating service file..."
cat > "/tmp/$SERVICE_NAME" << EOF
[Unit]
Confidence
80% confidence
Finding
Create service file

External Script Fetching

Low
Category
Supply Chain
Content
# Via ClawHub (recommended)
clawdhub install chaos-memory

# Via curl
curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash

# Manual
Confidence
92% confidence
Finding
curl curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash

External Script Fetching

Low
Category
Supply Chain
Content
clawdhub install chaos-memory

# OR
curl -fsSL https://raw.githubusercontent.com/hargabyte/chaos-memory/main/skill/install.sh | bash

# Script does:
1. Install Dolt (if needed)
Confidence
95% confidence
Finding
curl -fsSL https://raw.githubusercontent.com/hargabyte/chaos-memory/main/skill/install.sh | bash

Chaining Abuse

High
Category
Tool Misuse
Content
clawdhub install chaos-memory

# Via curl
curl -fsSL https://raw.githubusercontent.com/hargabyte/Chaos-mind/main/install.sh | bash

# Manual
git clone https://github.com/hargabyte/Chaos-mind ~/.chaos/chaos-memory
Confidence
99% confidence
Finding
| bash

Chaining Abuse

High
Category
Tool Misuse
Content
clawdhub install chaos-memory

# OR
curl -fsSL https://raw.githubusercontent.com/hargabyte/chaos-memory/main/skill/install.sh | bash

# Script does:
1. Install Dolt (if needed)
Confidence
98% confidence
Finding
| bash

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.