ClawHub

Link Brain

Security checks across malware telemetry and agentic risk

Overview

Link Brain is a local bookmark and link knowledge-base tool whose browser import, local database, HTML output, and optional URL fetching match its stated purpose.

Install only if you want a local database of your saved links and are comfortable with the quickstart command reading browser bookmarks. Use setup or individual scan commands instead of quickstart if you want to review sources first, and use auto-save only for URLs you are comfortable having the tool fetch from your machine.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Tainted flow: 'req' from os.environ.get (line 636, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
'User-Agent': 'Mozilla/5.0 (compatible; LinkBrain/4.0)',
            'Accept': 'text/html,application/xhtml+xml,text/plain',
        })
        with urllib.request.urlopen(req, timeout=15) as resp:
            content_type = resp.headers.get('Content-Type', '')
            charset = 'utf-8'
            if 'charset=' in content_type:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req, timeout=15) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill documentation describes capabilities including filesystem access, environment-variable use, shell execution, and network fetching, but it does not declare permissions or clearly bound those operations. This creates a transparency and consent problem: users or platforms may authorize a seemingly local bookmark tool without understanding that it can read browser data, write HTML files, invoke shell commands, and make outbound requests.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The published description frames the skill as a local link knowledge base, but the documented behavior is materially broader: it imports personal browser/platform data, performs network access in auto-save mode, generates rich local dashboards, and maintains ongoing tracking/analytics. This mismatch is dangerous because users may provide trust and approval under a narrower mental model than the actual data collection and processing performed.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The header comments claim all data stays local and that the only network call is in auto-save mode, but the code also constructs GitHub issue URLs and opens browser pages. While not a code-execution flaw, this is a deceptive capability disclosure issue that can mislead users and downstream agents about external interactions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quickstart flow automatically scans Chrome, Safari, and Firefox and imports everything it finds, but the documentation does not present this as a sensitive action requiring explicit user confirmation. Browser bookmarks can reveal identities, employers, health interests, finances, and other private activity, so auto-import without a strong warning increases the risk of unintentional exposure and over-collection.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
Quickstart auto-detects and imports browser bookmarks from local browser stores without an explicit confirmation gate at execution time. In an agent or automation context, that can silently ingest sensitive personal browsing/bookmark data far beyond what a user expected from a generic setup command.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal