ClawHub

雷神之脑 v3.0.2

Security checks across malware telemetry and agentic risk

Overview

This is a mostly disclosed local memory skill, but it includes optional automation that can broadly commit, delete, archive, or back up workspace data and should be reviewed before installation.

Install only if you want a persistent local memory system and are comfortable reviewing the files it stores. Leave cron, auto-commit, remote backup, and node-communication features disabled unless you have audited the scripts, limited them to the intended memory directory, and configured secure backup credentials. Do not store secrets in MEMORY.md, USER.md, daily logs, or files that could be committed or backed up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (31)

Lp3

Medium
Category
MCP Least Privilege
Confidence
81% confidence
Finding
The skill advertises operational capabilities such as file writes and shell-based installation steps, but does not declare corresponding permissions. Undeclared write/shell behavior reduces transparency and prevents hosts or reviewers from applying least-privilege controls, which can lead to unintended filesystem changes or command execution when the skill is enabled.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The documented behavior emphasizes a 100% local, opt-in model, but the referenced behavior set includes git automation, remote backup, user switching, permission modification, inter-node communication, and Python-based state updates that materially expand the trust boundary. This mismatch is dangerous because users may install or authorize the skill under a low-risk assumption while hidden or under-documented features can alter files, persist data, or exfiltrate workspace contents if optional components are later activated.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The spec introduces active HTTP/WebSocket node-to-node communication, which materially expands the attack surface beyond a primarily local memory system. Even if described as optional or internal-only, network services, message handling, and remote coordination create additional risks such as unauthorized access, protocol abuse, and exposure from misconfiguration.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The `task` message permits actions such as `execute_command`, enabling remote task execution through the protocol. This is dangerous because any weakness in authentication, authorization, window approval, or input validation could turn the protocol into a remote command channel with potential for arbitrary code execution or host compromise.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The node registry advertises capabilities including `execute` and `fileops`, which broaden the system from memory management into remote execution and file manipulation. Advertising and normalizing these capabilities increases the chance that connected nodes will be trusted with overly powerful operations, making lateral movement or destructive actions more feasible if a node or token is compromised.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The document materially expands the system from a local-only memory tool into a multi-node control, storage, and communications architecture with controller/compute/storage roles and direct node-to-node channels. That increased trust boundary and attack surface contradict the stated local-first positioning in the skill metadata, and creates security risk because compromise of one node, token, or channel could expose memory, tasking, or control across the cluster.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The security model asserts communication is restricted to the 192.168.110.0/24 subnet, but the same architecture includes HTTP API, WebSocket, SSH, WebDAV, and Nextcloud-based storage/sync paths that can bridge beyond a simple internal-subnet assumption. This mismatch is dangerous because operators may rely on network locality as a control while externalized protocols and sync services create alternate ingress, egress, and lateral-movement paths.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script stages and commits all changes in the configured workspace repository without any user confirmation, which expands behavior from passive local memory storage into active repository mutation. In a workspace that may contain prompts, notes, generated artifacts, or secrets, this can persist unintended data into version history and create a misleading audit trail of autonomous changes.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
An hourly unattended cron-driven commit mechanism mutates any git repository placed at the configured workspace path, even when the user may only expect local Markdown/JSON memory persistence. This increases risk because it runs continuously and silently, turning transient or accidental edits into committed history without deliberate approval.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The script's stated purpose is local work logging, but it also automatically stages and commits files to Git. Because the files are user-supplied and the commit happens without a separate consent step, this can persist sensitive or unintended changes into repository history, which is harder to undo and may later be pushed elsewhere.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Automatic staging and committing of arbitrary user-provided paths is broader than what a memory log helper needs to do. In this skill context, which emphasizes local Markdown/JSON memory, silently modifying repository state increases the chance of accidental capture of secrets, credentials, or unrelated files.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The strategy registry for a purportedly local memory system includes remote access and privileged administration workflows such as ssh, scp, and sudo. Even with a consent flag, embedding these operational playbooks broadens the agent's action surface and can normalize out-of-scope execution when common errors are matched.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The file encodes concrete commands for privileged and remote capabilities that are not justified by the stated purpose of '100% local' memory management. This mismatch increases the chance that an agent applies high-risk actions in response to routine operational failures, creating unnecessary exposure to credential misuse, system changes, or remote interaction.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The document claims memory restoration reads are limited to files within the workspace, but the procedure explicitly reads `MJOLNIR_USER` from the environment and `~/.mjolnir_current_user` from the user's home directory. That mismatch can cause the agent to ingest context from outside the declared trust boundary, enabling cross-workspace context confusion or unauthorized access to user-specific state.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
This section states the memory system performs only local workspace reads and no external calls, but earlier instructions require reading an environment variable and a file in the user's home directory. Such contradictory security guarantees can mislead users and downstream agents into trusting data sources that are actually outside the workspace isolation model.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file says external operations require explicit user confirmation, but elsewhere lists web searches and calendar checks as 'safe to do freely' and heartbeat behavior suggests proactive polling. This ambiguity can normalize network or third-party data access without consent, undermining the opt-in and confirmation model described in the skill metadata.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The backup example uses plain HTTP for WebDAV and shows credentials embedded directly in the script, which risks credential exposure and backup data interception if copied as-is. In an installation guide, users often paste examples verbatim, so insecure defaults/examples materially increase the chance of unsafe deployment.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The write-through protocol explicitly tells the agent to persist newly learned information immediately to local files, but the document does not require user consent, visibility, or any safeguard before modifying persistent storage. In an agent setting, this creates a real security and privacy risk because user-supplied content, environment details, or operational artifacts may be written to disk automatically and survive beyond the current session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The combination of 'git add -A' and automatic commit modifies repository state broadly and silently, including deletions and unrelated files, with no confirmation or review step. This can capture secrets, private notes, or corrupted state and makes rollback and provenance harder because autonomous commits are mixed with intentional user changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script commits immediately after staging without warning or confirmation, so a user can unintentionally create permanent history entries containing sensitive data or incorrect files. This is especially risky because the file list comes from command-line arguments and the script presents examples involving security-sensitive paths.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The guidance to try known-error solutions sorted by success rate can cause broad automatic application across many generic failure strings without contextual validation. In a strategy file that includes privileged and remote actions, weak scoping materially raises the risk of unsafe or inappropriate remediation being selected.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The instruction to delete `BOOTSTRAP.md` on first run directs a destructive file operation without any confirmation, retention, or audit guidance. If followed automatically, it can erase provenance, setup instructions, or evidence needed for recovery and can be abused to hide initial configuration or tampering.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to collect and persist user profile data such as name, preferred form of address, timezone, notes, values, boundaries, and preferences into local files without any privacy notice, consent step, retention policy, or minimization guidance. Even if storage is local by default, this still creates unnecessary privacy and data-handling risk because sensitive personal information may be recorded automatically and later exposed, synced, or reused beyond the user's expectations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section describes unattended maintenance that modifies and deletes local data, including trimming MEMORY.md, appending to logs, deleting small files, and archiving old logs. Although the file says execution is opt-in, it does not give a sufficiently explicit user-facing warning about data loss, retention changes, or the scope of affected files at the point where those actions are defined, so users could enable heartbeat/cron behavior without fully understanding the consequences.

Vague Triggers

Low
Confidence
86% confidence
Finding
The instruction to update the file whenever something new is discovered creates an open-ended trigger for persistence of user data. Without limits on relevance, consent, or retention, an agent could over-collect and store sensitive personal details simply because they were mentioned in conversation.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal