Kindle Claude Monitor

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent local Claude Code status monitor, but it exposes hook-derived activity over the LAN without authentication and persistently logs full event payloads.

Install only if you are comfortable with a background Claude Code monitor that registers hooks, starts at login, listens on your local network, and stores hook payload logs locally. Use it only on trusted networks, consider changing it to bind to localhost or adding authentication before use, and avoid the firewall stealth-mode sudo workaround unless you understand the host-wide exposure. Review or remove ~/.claude/kindle-monitor/events.jsonl if it may contain sensitive prompts, paths, or command data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration

Findings (18)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 91% confidence
Finding: The skill advertises and documents capabilities that modify files, read environment/configuration, and invoke shell commands, but it does not declare permissions accordingly. This undermines informed consent and makes it easier for users to install a skill that persistently changes local settings and startup behavior without a clear capability boundary.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 96% confidence
Finding: The stated purpose sounds like a simple local status display, but the documented behavior goes further by editing Claude settings, registering seven hooks, installing a launchd agent, and exposing an HTTP service to the LAN. That mismatch is dangerous because users may consent to a passive display tool without realizing they are enabling persistence, automatic event forwarding, and network exposure.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer silently edits ~/.claude/settings.json to register 7 automatic hooks across multiple lifecycle events. Even if the intended purpose is local monitoring, this expands the skill’s reach from a simple dashboard into automatic event interception/execution, which creates a broader trust boundary and could expose prompts, tool usage metadata, or future event data without explicit informed consent.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The script installs a persistent launchd agent and immediately starts it, which creates background execution beyond a one-time local setup step. Persistent background services increase attack surface and can continue processing data after the user forgets the skill is active, especially when the manifest description does not prominently disclose this behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The server exposes additional endpoints beyond passive display, including /raw.json for full state/event disclosure and /reset for state mutation, with no authentication or access controls. Because the service binds to 0.0.0.0 and is intended for LAN access, any reachable host on the network can inspect session metadata or alter monitor state.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: All incoming event payloads are written verbatim to a persistent JSONL log under ~/.claude/kindle-monitor/events.jsonl. Hook payloads may contain sensitive prompts, file paths, commands, project names, and notification text, so this creates an undisclosed local data-retention surface that can expose private workflow data to other local users or later compromise.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The /reset endpoint clears monitor state via an unauthenticated GET request. On a LAN-exposed service, any reachable party—or even a browser loading a link or image pointing to that URL—can reset the dashboard, causing loss of situational awareness and making waiting/error states disappear.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly states the server binds to 0.0.0.0:8787 and instructs users to access it from other devices on the LAN, but it does not clearly warn that anyone on the same network can reach the dashboard and debug endpoints. Because the service exposes live Claude activity and raw state via endpoints like /raw.json and /reset, this creates a real information exposure and unauthorized interaction risk in the intended deployment model.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill forwards hook events to an HTTP server and makes the dashboard reachable from other devices on the local network, but the description does not prominently warn that operational metadata will be exposed over LAN. Depending on hook contents, this can leak project names, tool names, prompts, or confirmation messages to any party with network access to the endpoint.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The installation section describes running an installer but does not foreground that it will persistently modify local configuration and system startup behavior. Users may execute the installer expecting a reversible local setup while unknowingly enabling hooks and a background service that survives restarts.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The installer modifies Claude settings and registers automatic hooks without asking for confirmation at the moment of change. Silent security-relevant configuration changes reduce user awareness and can lead to unintended data forwarding or command execution on future sessions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Persisting full inbound event payloads without clear disclosure is a real privacy/security issue because those payloads can contain sensitive operational data. Even if the server is only local, unexpected retention increases exposure to local account compromise, backups, shared machines, or forensic recovery.

Missing User Warnings

Low

Confidence: 88% confidence
Finding: Using GET for a state-changing reset operation is unsafe because GET requests are easy to trigger accidentally or cross-origin through normal browser behavior. While the impact is limited to monitor state integrity rather than code execution, it still enables unauthorized resets and user confusion.

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: - 把 `server.py` / `notify.sh` 拷到 `~/.claude/kindle-monitor/` - 把 launchd plist 写到 `~/Library/LaunchAgents/` 并启动 - 在 `~/.claude/settings.json` 的 hooks 里 append 7 个 kindle 钩子（不动既有 hooks） - 处理 macOS 防火墙隐身模式（如有需要会提示用户用 sudo 关闭） - 报告 Mac 局域网 IP，告诉你 Kindle 上输入什么 URL ## Kindle 端配置
Confidence: 84% confidence
Finding: sudo

Sudo/Root Execution

Medium

Category: Privilege Escalation
Content: | 现象 | 原因 | 修法 | |---|---|---| | Kindle 转圈连不上 | macOS stealth mode 把 LAN 包丢了 | `sudo /usr/libexec/ApplicationFirewall/socketfilterfw --setstealthmode off` | | 浏览器都连不上 | server 没起来 | `launchctl list \| grep kindle-monitor` 看是否 running，看 `~/.claude/kindle-monitor/launchd.err.log` | | Mac 端能开 localhost 但 Kindle 连不上 | Mac IP 变了 | `ipconfig getifaddr en0` 拿新 IP，路由器后台给 Mac 设静态 DHCP 租约一劳永逸 | | 显示一直停在「请确认」但没在等 | 虚拟 session 锁死 | 浏览器开 `http://<Mac-IP>:8787/reset`，或等 5 分钟 |
Confidence: 82% confidence
Finding: sudo

Session Persistence

Medium

Category: Rogue Agent
Content: `install.sh` 会做这些事： - 把 `server.py` / `notify.sh` 拷到 `~/.claude/kindle-monitor/` - 把 launchd plist 写到 `~/Library/LaunchAgents/` 并启动 - 在 `~/.claude/settings.json` 的 hooks 里 append 7 个 kindle 钩子（不动既有 hooks） - 处理 macOS 防火墙隐身模式（如有需要会提示用户用 sudo 关闭） - 报告 Mac 局域网 IP，告诉你 Kindle 上输入什么 URL
Confidence: 93% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: | `KINDLE_MONITOR_REFRESH` | 3 | meta refresh 秒数 | | `KINDLE_MONITOR_WAITING_TIMEOUT` | 300 | waiting 锁超时秒数 | 改了之后改 plist 里的 EnvironmentVariables 块，然后 `launchctl unload && launchctl load` 一次。 ## 卸载
Confidence: 87% confidence
Finding: plist

Session Persistence

Medium

Category: Rogue Agent
Content: | `KINDLE_MONITOR_REFRESH` | 3 | meta refresh 秒数 | | `KINDLE_MONITOR_WAITING_TIMEOUT` | 300 | waiting 锁超时秒数 | 改了之后改 plist 里的 EnvironmentVariables 块，然后 `launchctl unload && launchctl load` 一次。 ## 卸载
Confidence: 87% confidence
Finding: launchctl load

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal