ocusMind - AI Brain Fog Clearer (Agent 脑雾清除神器)

Security checks across malware telemetry and agentic risk

Overview

The core context-summary tool looks legitimate, but it needs review because it includes under-documented file and webhook features that could expose conversation data.

Review before installing. Use it only on conversation or project context you are comfortable analyzing or saving, avoid enabling webhook notifications unless you fully trust the endpoint, and be careful with REPL load/save and export paths because they can read or overwrite arbitrary files the process can access.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 81% confidence
Finding: The skill advertises capabilities that imply file I/O and network interaction, but it declares no permissions or trust boundaries. That creates a transparency and least-privilege problem: an agent or operator may invoke functionality that reads/writes local context or emits data externally without explicit approval, increasing the risk of unintended data exposure.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented purpose is narrow ('clear mental clutter/regain focus'), but the described behavior extends to exports, caching, statistics, notifications, REPL/file persistence, and a general-purpose API. This mismatch is dangerous because users may trust the skill with sensitive conversation context under the assumption of local analysis, while the broader behavior expands collection, retention, and exfiltration surfaces.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The export command writes analysis results to an arbitrary user-specified path, creating a generic filesystem write primitive. In an agent environment, this can become dangerous if untrusted prompts or tool invocations can influence the output path, potentially overwriting sensitive files or planting content in unexpected locations.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The REPL exposes arbitrary local file read and write through `load <file>` and `save <file>`, which goes beyond the skill's advertised purpose of context cleanup and summarization. In an agent environment, this unnecessarily expands the tool's capability surface and can enable sensitive file disclosure or unintended overwrites if an untrusted user or prompt steers the REPL to access arbitrary paths.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: `cmd_load` and `cmd_save` accept user-supplied paths without restriction, allowing arbitrary local file access. Even though this is a local REPL, unrestricted file access is dangerous in agent/tooling contexts because it can be repurposed to read secrets, inspect unrelated files, or overwrite user data outside the intended scope of the skill.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The export function writes arbitrary content to an arbitrary caller-controlled filepath with no path restrictions, validation, or sandboxing. In an agent context, if an attacker can influence the destination path, this can overwrite files the process can access, potentially causing data loss, tampering with local state, or planting misleading artifacts.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The webhook path can send cleanup summaries and goals to an arbitrary URL supplied in configuration, which creates a clear exfiltration channel for potentially sensitive agent context. In a skill intended to 'clear mental fog,' transmitting internal summaries off-host is not necessary to core functionality, making this more dangerous because operators may not expect data egress from such a skill.

Vague Triggers

Medium

Confidence: 78% confidence
Finding: Claims of 'auto-trigger' and 'intelligent monitoring' lack concrete activation boundaries, frequency limits, and scope restrictions. In the context of a skill that may inspect large conversation histories and potentially write files or send notifications, ambiguous autonomous activation raises the chance of unreviewed processing of sensitive context and unintended repeated actions.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: The documentation exposes an 'auto_cleanup' capability but does not clearly warn that automated cleanup/compression can remove, overwrite, or distort important context. For an agent skill operating on conversation history and goals, silent or poorly bounded cleanup can cause loss of user intent, deletion of evidence, or unsafe downstream decisions based on incomplete context.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: This file allows writing reports to a caller-controlled path without any confirmation, warning, or visible safety check. While not inherently malicious, silent file writes increase the risk of accidental overwrite or misuse when embedded in automation or invoked by an LLM-driven agent.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: When the trigger fires, the code automatically summarizes the full context and extracts goals without any explicit user disclosure, consent, or visibility into what data is being processed. In an agent setting, context may contain sensitive user inputs, credentials, proprietary material, or prior conversation state, so silent secondary processing increases privacy and data-handling risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal