ClawHub

Unbridled

Security checks across malware telemetry and agentic risk

Overview

This is a transparent but very powerful Beeper messaging skill that can read, decrypt, and send private messages across many accounts, with some weak containment and runtime control gaps.

Install only if you intend to give the agent broad, durable access to your Beeper account, encrypted chat history, and the ability to send messages from your linked social accounts. Use a dedicated trusted host, keep disk encryption and strict file permissions enabled, avoid the default /tmp digest output, require your own confirmation process before every send, and revoke the Beeper session plus reset the recovery key if the host or files are exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (9)

Missing User Warnings

Medium
Confidence
77% confidence
Finding
The README prominently advertises cross-network messaging for agents without an equally prominent upfront warning that use of the skill can transmit private data and perform external actions on the user's behalf. In an agent-skill context, weak disclosure increases the chance of unintended data exfiltration, accidental messaging, or misuse before the operator understands the privacy and consent implications.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The architecture explicitly documents storage locations for a Beeper access token, Olm/Megolm state, sync tokens, and a recovery key, all of which are highly sensitive credentials or cryptographic material. While documentation alone is not exploitation, this design creates real compromise risk if the host, backups, logs, or developer workflows expose these files, and the skill context increases sensitivity because the recovery key can bootstrap trust and unlock message history across many bridged networks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The checklist explicitly instructs the user to hand the Beeper recovery key to the agent and store it on the agent host. That key is sufficient to decrypt cross-signing secrets and import encrypted message history, so giving it to the agent grants broad access to the user's protected communications across bridged networks; the document does not clearly foreground that security consequence or require stronger containment than a local file.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script automatically reads highly sensitive material from disk (the Beeper recovery key and access token), decrypts cross-signing secrets, and performs a security-sensitive signing/upload operation without any interactive confirmation, dry-run mode, or explicit consent gate. In an agent-skill context, that is risky because invocation of the skill can silently change the trust state of the user's Matrix/Beeper device and use long-lived credentials the user may not realize are being consumed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script decrypts private messages from multiple bridged networks and writes message bodies into a plaintext Markdown file under /tmp/recap. That creates a clear confidentiality risk because highly sensitive cross-platform communications are persisted on disk in a broadly discoverable location, potentially accessible to other local users, backup systems, log collectors, or later processes, and the script provides no explicit warning or consent checkpoint before doing so.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The send command transmits messages immediately once invoked, with no confirmation prompt, dry-run mode, or other friction to prevent accidental or unauthorized outbound communication. In the context of a multi-network messaging bridge, this increases the risk of unintended data disclosure, social engineering amplification, and actions being taken on behalf of the user across external services.

Credential Access

High
Category
Privilege Escalation
Content
|---|---|---|
| Beeper password | User's head / password manager | Master secret |
| Beeper Recovery Key | `~/.secrets/beeper-recovery-key.txt` (600) | Master secret (decrypts cross-signing keys) |
| `bbctl` access token | `~/.config/bbctl/config.json` (600) | Device-scoped credential |
| Olm/Megolm store | `~/.local/share/clawd-matrix/` (700) | Device-scoped credential |

If the recovery key ever leaks, **regenerate it from Beeper Desktop** (Settings → name → ⌄ → Reset Recovery Code) and re-run `bootstrap_crosssign.py` on each agent device.
Confidence
90% confidence
Finding
access token

Session Persistence

Medium
Category
Rogue Agent
Content
`scripts/sync_daemon.py` wraps `matrix-nio`'s `sync_forever` in a supervised loop with exponential backoff and consumes these `to_device` events as they arrive. Running it under systemd keeps the store always up-to-date.

```bash
systemctl --user enable --now clawd-beeper-sync.service
journalctl --user -u clawd-beeper-sync -f
```
Confidence
82% confidence
Finding
systemctl --user enable

Session Persistence

Medium
Category
Rogue Agent
Content
bbctl whoami  # sanity check: all bridges RUNNING

# 2. Save your recovery key (never commit this!)
mkdir -p ~/.secrets && chmod 700 ~/.secrets
echo 'YOUR RECOVERY KEY HERE' > ~/.secrets/beeper-recovery-key.txt
chmod 600 ~/.secrets/beeper-recovery-key.txt
Confidence
70% confidence
Finding
mkdir -p ~/.secrets && chmod 700 ~/.secrets echo 'YOUR RECOVERY KEY HERE' > ~/.secrets/beeper-recovery-key.txt chmod 600 ~/.secrets/beeper-recovery-key.txt # 3. Initialize the Olm store and cross-sig

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal