ClawHub

Runstr analytics

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do RUNSTR fitness analytics, but it asks for a highly sensitive Nostr private key and handles it less safely than the documentation claims.

Install only if you are comfortable granting this skill access to your Nostr private key and decrypted RUNSTR data. Prefer a version that does not ask for nsec in chat or command-line arguments, fixes the stdin-only documentation mismatch, and pins the nak dependency. If you proceed, use a private machine with disk encryption, avoid enabling cron unless you need daily reports, review crontab entries, and delete ~/.cache/runstr-analytics when you no longer want local decrypted data retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)
            self.hex_sk = result.stdout.strip()
            
            result = subprocess.run(
                ["nak", "key", "public", self.hex_sk],
                capture_output=True, text=True, check=True
            )
Confidence
80% confidence
Finding
result = subprocess.run( ["nak", "key", "public", self.hex_sk], capture_output=True, text=True, check=True )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"""Decrypt NIP-44 encrypted content."""
        try:
            cmd = ["nak", "decrypt", "--sec", self.hex_sk, "--sender-pubkey", self.hex_pk, content]
            result = subprocess.run(cmd, capture_output=True, text=True, check=True)
            decrypted = result.stdout.strip()
            
            import base64
Confidence
94% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, check=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            # Use nak decrypt with sender-pubkey (self-encrypted)
            cmd = ["nak", "decrypt", "--sec", self.hex_sk, "--sender-pubkey", self.hex_pk, content]
            result = subprocess.run(cmd, capture_output=True, text=True, check=True)
            decrypted = result.stdout.strip()
            
            # Decompress gzip
Confidence
71% confidence
Finding
result = subprocess.run(cmd, capture_output=True, text=True, check=True)

Intent-Code Divergence

Medium
Confidence
99% confidence
Finding
The script’s comment says the NSEC secret is passed securely via stdin, but the actual command uses `--nsec "$NSEC"`, placing the secret on the process command line. Command-line arguments are commonly exposed to other local users via process listings, shell history tooling, crash reports, or monitoring systems, so this can leak a credential despite the script claiming otherwise. In this analytics context, the skill only needs to analyze user fitness data, so exposing a long-lived Nostr secret is more dangerous because it grants broader account access than the user likely expects.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The script reads a sensitive credential from the environment (`RUNSTR_NSEC`) in order to fetch data from Nostr, which expands the skill’s capabilities beyond local analytics into authenticated external access. Even if this is functionally intended, environment-stored secrets are frequently exposed through inherited process environments, debugging tools, CI logs, or misconfigured telemetry, and the manifest’s analytics-focused description does not clearly justify requiring an account secret. Because the skill is framed as fitness analytics and recommendations, requesting a Nostr private credential increases risk and should be treated with elevated suspicion.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script relies on an external CLI for key decoding, public-key derivation, Nostr queries, and decryption, creating a broad trust boundary around a locally resolved executable. In this skill's context, that is more dangerous because highly sensitive key material is handled; if `nak` is replaced, trojaned, or unexpectedly logs data, the user's secret and backup contents can be compromised.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script modifies the user's crontab to install a persistent scheduled task, which is a privileged host-side action beyond simple fitness analytics. Even though it prompts for consent and appears user-facing, persistence mechanisms can continue executing code and handling secrets (such as RUNSTR_NSEC) after setup, increasing the blast radius if the companion script is unsafe or later changed.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill includes system-level cron management that creates persistent execution on the host, which is not clearly justified by the stated analytics/coaching purpose. This matters because scheduled execution can repeatedly access local data and environment secrets and can survive after the user forgets about the installation.

Missing User Warnings

High
Confidence
99% confidence
Finding
The setup instructions explicitly tell users to paste their Nostr private key into chat, which is a highly sensitive credential equivalent to an account secret. Even though the file includes later security notes, prompting users to disclose the key in chat materially increases the risk of credential exposure through chat logs, model providers, telemetry, screenshots, or accidental sharing.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill requires a Nostr private key via a command-line argument, which commonly exposes secrets through shell history, process listings, job logs, and monitoring tools. Because this is a long-lived private key used to decrypt personal backup data, accidental disclosure could compromise the user's account and private fitness/journal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The help text encourages users to pass their private key with `--nsec`, which typically exposes the secret in shell history and process listings. That creates a practical credential-leak risk even if some internal handling later uses stdin.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The tool requires a highly sensitive credential (--nsec) directly from the user but provides no prominent warning that command-line arguments may be visible to other local users, shell history tooling, or logs. In this skill context, that is especially important because the script processes a Nostr private key that can be used to decrypt backups and act as the user.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal