ClawHub

Mind-Wander

Security checks across malware telemetry and agentic risk

Overview

Mind-Wander is a coherent background research skill, but it enables persistent autonomous execution, weakly sandboxed code execution, gateway-token use, and plaintext transcript retention that users should review before installing.

Install only in a workspace where recurring background runs, external Perplexity queries, local code execution, and plaintext transcript storage are acceptable. Use dry-run/manual mode first, avoid sensitive ON_YOUR_MIND.md content, review or disable cron registration, and do not treat sandbox_run as a secure sandbox.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (20)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
        # Run in subprocess with timeout and no network
        result = subprocess.run(
            ["python3", "-c", safe_code],
            capture_output=True, text=True,
            timeout=SANDBOX_TIMEOUT,
Confidence
98% confidence
Finding
result = subprocess.run( ["python3", "-c", safe_code], capture_output=True, text=True, timeout=SANDBOX_TIMEOUT, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill advertises substantial capabilities—file read/write, shell execution, environment access, and network use—without declaring permissions. That prevents informed consent and undermines any permission-based safety model, especially for a scheduled autonomous agent that can act repeatedly without direct user review.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented behavior omits materially important actions: registering cron jobs, downloading/installing models and packages, copying scripts, and saving full transcripts for collection/training. This mismatch is dangerous because users may authorize a research helper while unknowingly granting persistence, software installation, token use, and data retention capabilities.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The module documentation explicitly describes storing full conversations, prompts, tool outputs, ON_YOUR_MIND snapshots, and graph context to disk. That creates a persistent repository of potentially sensitive model inputs and internal context, which exceeds the skill description's user-visible behavior and increases the chance of privacy leaks, credential capture, or later misuse of stored reasoning traces.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The save_session function persists a record for every run, including discarded and error outcomes, even though the skill description says findings are written only when genuinely novel. Capturing unsuccessful sessions broadens data exposure by storing more raw prompts and context than users would reasonably expect, including failed experiments that may contain sensitive intermediate data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer reads the local OpenClaw gateway token and silently creates a recurring privileged cron job that tells the agent to write and execute a Python script. That grants the skill an automation and code-execution pathway broader than simple background research, and it does so without explicit user approval at install time. In this context, the capability expansion is dangerous because the scheduled job can keep running unattended and use the agent as an execution proxy.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The prompt explicitly tells the background agent that elevate() writes findings into graph-rag memory and that future sessions of the primary agent will see them. That contradicts the skill’s stated design goal that wander history remain isolated from the primary context, and it can cause the model to intentionally propagate speculative or low-confidence background exploration into the main agent memory. In this skill context, that is more dangerous because the agent autonomously performs web research and sandbox experiments, so prompt-induced memory crossover can contaminate the primary agent with unvetted or hallucinated conclusions.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The documentation promises a safe sandbox with no network and no file writes, but the implementation only rejects a short list of string patterns before executing arbitrary Python in a regular subprocess. In a skill explicitly designed for autonomous background reasoning and experiments, this mismatch is especially dangerous because the agent is likely to trust the safety claim and run untrusted snippets, enabling sandbox escape-by-design rather than an edge-case bug.

Vague Triggers

Medium
Confidence
79% confidence
Finding
Broad triggers such as 'background reasoning' or 'autonomous research' can cause the skill to activate in contexts where the user did not intend to launch an autonomous, file-writing, network-using agent. In this skill, overbroad activation is more dangerous because the agent is persistent and capable of scheduled execution and external searches.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The description emphasizes novelty filtering and local reasoning but does not clearly warn that the skill performs scheduled web searches and automatically writes to workspace files. For an autonomous background agent, hidden automation materially changes risk because it can exfiltrate query content to external services and modify project state without immediate user awareness.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The setup instructions explicitly state that the installer creates a recurring cron job and creates or modifies workspace files, but they do not prominently warn the operator that installation has persistent side effects on scheduling and filesystem state. In a skill designed for autonomous background reasoning, silent persistence is more dangerous because it enables ongoing agent execution after a one-time install step, increasing the chance of unintended resource use or unexpected autonomous actions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manual registration example creates a persistent scheduled job through the gateway API that repeatedly triggers agent execution, yet the documentation presents it as routine setup without a strong warning about ongoing autonomous execution. In this skill context, that is more dangerous because the job periodically causes an agentTurn that writes and runs generated code, creating a durable automation path that may be overlooked by users reviewing setup steps.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code writes full prompts, messages, and injected context to disk without any visible user-facing disclosure, consent, or warning in the collector itself. In a background autonomous research skill, users may not realize that internal reasoning inputs and context snapshots are being retained as training-like artifacts, making the privacy risk more significant.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script extracts the gateway auth token from the user's configuration and immediately uses it to create a cron job, but there is no prominent disclosure or consent flow telling the user that a local credential is being consumed for privileged API actions. Even though the token is not exfiltrated off-host here, silently leveraging it expands the skill's authority and weakens informed consent around privileged operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The installer silently creates a recurring 30-minute background cron job that causes the agent to perform autonomous activity. That persistence is security-relevant because it continues after installation, may consume resources or act on changing workspace contents, and users are not clearly warned that ongoing automated execution is being enabled.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The lack of an explicit warning is not the main problem; the underlying action is execution of generated Python in a local subprocess. In this autonomous research skill, silent execution materially increases risk because operators may not realize the agent can run code locally during background reasoning.

Ssd 3

Medium
Confidence
93% confidence
Finding
The agent accumulates full assistant content, tool-call arguments, and tool outputs into `_all_messages`, which is later persisted for the session record. In this skill, prompts can include contents from ON_YOUR_MIND, web-search results, sandbox experiment output, and private knowledge-graph context, so storing them verbatim creates a real confidentiality risk if logs or saved sessions are accessed by other users, processes, backups, or support tooling.

Ssd 3

High
Confidence
98% confidence
Finding
`save_session()` is called with the full system prompt, complete message history, tool outputs, and a snapshot of user/context content, which materially increases exposure of sensitive data beyond operational necessity. Given this skill's purpose—autonomous background research using private graph data, local reasoning traces, sandbox experiments, and web search—the persisted record can aggregate proprietary, personal, or credential-bearing information into a single durable artifact, making compromise or secondary misuse more damaging.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented schema includes verbatim system prompts, full conversation messages, tool outputs, ON_YOUR_MIND contents, and graph context, all of which can contain secrets, proprietary reasoning context, personal data, or sensitive research notes. Persisting these natural-language artifacts to JSON files creates a durable data-leak channel that can be exfiltrated later by other tools, users, backups, or compromise of the workspace.

Ssd 3

Medium
Confidence
97% confidence
Finding
The implementation writes the complete record verbatim to disk via json.dumps(record, indent=2), including system_prompt, messages, on_your_mind_snapshot, and graph_context. Given this skill's purpose—autonomous background research with web searches, sandbox experiments, and private graph context—the stored content is especially likely to include sensitive prompts, fetched data, and internal knowledge that should not become a persistent plaintext archive.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal