data-pods

Security checks across malware telemetry and agentic risk

Overview

This local knowledge-base skill is not clearly malicious, but it should be reviewed because it can persist, modify, and export private documents with weak guardrails.

Install only if you intentionally want a persistent local knowledge base and are comfortable managing its data yourself. Use narrow reviewed folders, avoid health or confidential documents until controls are improved, do not rely on the advertised consent layer as enforcement for normal queries, avoid raw SQL unless you mean to administer the database, and review any ZIP, .vpod, or markdown export before sharing it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill instructs the agent to read folders, write pod data under a local storage path, and execute Python scripts via shell, but it does not declare any permissions. This creates a transparency and policy-enforcement gap: users and the platform may not realize the skill can access local files and invoke commands, increasing the chance of unintended file exposure or unsafe execution.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The documented behavior understates materially sensitive capabilities such as access control/session handling, audit logging, import/export, markdown packing for LLM use, and raw SQL querying. When a skill exposes capabilities beyond its declared purpose, users and reviewers cannot accurately assess trust boundaries, which raises the risk of covert data export, overcollection, or misuse of stored pod contents.

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The query function executes arbitrary user-supplied SQL directly against the pod database via c.execute(sql). This grants unrestricted read/write/delete/schema-modification capability, so any caller can destroy data, alter metadata, or extract sensitive contents beyond the intended note/query workflow.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The CLI intentionally exposes a --sql argument, making arbitrary SQL execution a first-class capability in a tool advertised for portable pod management. In context, this broadens the attack surface and enables destructive or unauthorized database manipulation with a single command, which is more dangerous because the skill is framed as automated and easy to use.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The README encourages ingestion of local documents, OCR of images, and embedding generation without explicitly warning that sensitive contents may be processed, stored, and made searchable. In a skill centered on personal knowledge bases and agent access, users may import private research, health, or shared documents and underestimate the privacy implications of extracted text, embeddings, logs, and consent misconfiguration.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The trigger phrases are broad and overlap with ordinary conversational requests like "add note," "add files," or "search pod," making accidental invocation more likely. In a skill that can read folders, ingest documents, and execute shell commands, unintended triggering can cause unreviewed file access or data modifications.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The phrase "Full automation - just ask" encourages implicit execution without making boundaries or confirmations clear. In context, the skill can create local databases, ingest arbitrary folders, and run Python commands, so an ambiguous invocation cue increases the risk of the agent taking sensitive actions without sufficiently explicit user intent.

Missing User Warnings

Medium

Confidence: 82% confidence
Finding: The script logs raw query text, pod names, session IDs, timestamps, and row counts into a local SQLite database under the user’s home directory without any notice, opt-in, retention policy, or file-permission hardening. In this skill context, queries against database pods may contain sensitive business data, secrets, personal information, or investigative prompts, so silent local audit collection increases privacy and data-exposure risk if the host is shared or compromised.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The script copies full document contents into a local SQLite database under ~/.openclaw/data-pods without any consent prompt, sensitivity warning, retention controls, or file-permission hardening. In this skill's context, users may ingest confidential local files, and silently duplicating that data increases exposure if the host is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The --sql option exposes destructive database functionality without any warning, confirmation, or safety guardrails. While this overlaps with the raw-SQL issue itself, the absence of user warning increases the chance of accidental data loss or misuse by users who may not realize they are executing unrestricted statements.

Missing User Warnings

Medium

Confidence: 80% confidence
Finding: The pack_for_llm function exports note titles, tags, timestamps, and full content into a plaintext markdown file intended for pasting into an external LLM, but it provides no warning, redaction, or sensitivity check. In a data-pod context, pods may contain private notes or embedded knowledge, so this creates a realistic risk of accidental disclosure if users upload the generated file to third-party services.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal