ClawHub

Second Brain Visualizer

Security checks across malware telemetry and agentic risk

Overview

The skill appears purpose-built rather than malicious, but it handles highly private notes and messages with under-scoped LLM and ingestion safeguards.

Install only if you are comfortable centralizing raw personal notes and selected private-channel content into this workflow. Keep the gateway host on localhost unless you deliberately trust a remote endpoint, verify where OpenClaw routes LLM calls, use dedicated low-sensitivity Slack/Telegram/Gmail channels, avoid secrets or regulated data in atoms, and protect or rotate credential files under ~/.openclaw/credentials.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The skill’s description frames it as passive idea-pattern analysis, but the documented behavior includes reading a specific local vault file, using stored credentials, making authenticated HTTP requests to an LLM gateway, and persisting derived outputs. That mismatch matters because users may provide highly sensitive personal notes under the assumption of local-only reflective analysis, while the actual design can route the full corpus off-machine if the gateway host is changed from localhost.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The code sends the full raw note corpus to an HTTP service for analysis, which directly contradicts a passive/local-only mental model users may infer from the skill description. Even if intended for a local gateway, the configured host may be remote and the data includes highly sensitive personal notes, creating a serious privacy and data-exfiltration risk.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment asserts that all LLM calls are local and not external, but the implementation accepts arbitrary configured hosts and only emits a warning for non-local values. This mismatch can mislead maintainers and users into underestimating the privacy impact, increasing the chance that sensitive thought data is sent off-device unexpectedly.

Natural-Language Policy Violations

High
Confidence
97% confidence
Finding
The prompt instructs the model to infer deep psychological traits, recurring tensions, and 'what the person is becoming' from raw personal notes. That is highly sensitive profiling, and in this skill context it is more dangerous because the input is an intimate longitudinal corpus rather than public or narrowly scoped text.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
When a cluster is selected, the component sends the raw text of all associated atoms to the insight API. In this skill's context, those atoms are explicitly described as raw idea streams, voice-note fragments, and half-sentences, which may contain highly sensitive personal or confidential information; the file shows no in-context notice, consent prompt, minimization, or user control before transmitting that content. This creates a real privacy/security issue even if the backend is first-party, because sensitive data is silently forwarded for secondary processing.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The Slack ingestion guidance instructs users to automatically read private-channel messages and append their full contents into a persistent local ledger, but it does not warn that this copies potentially sensitive conversations into a new retention location. That creates a real privacy and data-governance risk because users may ingest confidential or third-party data without consent, minimization, or visibility into storage and retention.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The Telegram section instructs use of bot credentials to fetch message contents and append them to storage, but omits clear guidance on secure credential handling and the persistence of imported message data. This is dangerous because exposed bot tokens or overbroad ingestion can let an attacker or unintended operator access private messages and retain them indefinitely in another system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The Gmail ingestion guidance tells users to ingest unread labeled messages but does not warn that email bodies may be imported into a persistent ledger. Email often contains highly sensitive personal, financial, or business information, so silent persistence into another file increases risk of overcollection, long-term retention, and accidental disclosure.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The install guide instructs users to set up clustering and insight endpoints that transmit vault-derived atom text to an LLM, but it does not clearly warn that potentially sensitive personal notes, idea fragments, or imported messages may leave the local system depending on the configured model and gateway. In the context of a 'second brain' tool that aggregates raw thought streams and may ingest data from Slack or Telegram, this omission creates a meaningful privacy and data-handling risk because users may expose highly sensitive content without informed consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide explicitly encourages users to capture raw, half-formed personal thoughts in third-party messaging platforms and later send the full corpus to an LLM, but it provides no privacy warning, consent guidance, or data-minimization advice. Because the content is likely to include sensitive personal, professional, or confidential information, this omission can lead users to unintentionally expose private data to external service providers and model vendors.

Session Persistence

Medium
Category
Rogue Agent
Content
license: MIT-0
credentials:
  - name: "openclaw-gateway.json"
    description: "Required. Create at ~/.openclaw/credentials/openclaw-gateway.json with fields: host (default: 127.0.0.1), port (default: 18789), key (your OpenClaw gateway auth key). Keep host set to 127.0.0.1 to ensure atom corpus stays on-machine."
    required: true
  - name: "slack-sb.json"
    description: "Optional. Slack bot API key for automated ingestion from a private Slack channel. Format: { apiKey: string }"
Confidence
88% confidence
Finding
Create at ~/.openclaw/credentials/openclaw-gateway.json with fields: host (default: 127.0.0.1), port (default: 18789), key (your OpenClaw gateway auth key). Keep host set to 127.0.0.1 to ensure atom c

VirusTotal

No VirusTotal findings

View on VirusTotal