ClawHub

Intrusive Thoughts

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad unattended authority to run, modify code, install tools, message or post externally, and expose local activity data.

Install only in a tightly constrained agent profile. Do not enable cron jobs until thoughts.json, presets, trust settings, and integrations are reviewed. Require approval for file writes outside the skill data directory, code commits, package installs, public posts, external messages, deletion, deployment, and system/network changes. Bind the dashboard to localhost or add authentication, and treat stored memory, journals, mood history, and activity logs as private data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (49)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises and documents meaningful capabilities including shell execution, network access, file reads/writes, environment-variable use, and autonomous scheduling, but does not declare corresponding permissions. That mismatch weakens security review and user consent because operators may install a skill without understanding its effective authority or ongoing behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The description frames the skill as a personality/consciousness starter kit, but the documented behavior extends into autonomous scheduling, external data fetching, telemetry-like health monitoring, and human messaging. This under-describes operational and security-relevant behavior, increasing the chance that users enable an automation skill without realizing it can act persistently and interact with external services.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The README explicitly documents autonomy around external messaging, public posting, API access, system changes, tool installs, and code execution via the trust system, even though the skill is presented as a mood/autonomy starter kit rather than a narrowly bounded automation tool. This expands the agent’s operational scope into sensitive actions and normalizes self-directed authority growth, creating a pathway to misuse or unsafe execution if deployed without strict guardrails.

Context-Inappropriate Capability

Low
Confidence
84% confidence
Finding
The README instructs that the agent can create its own cron jobs, including recurring and dynamically generated jobs, which gives it persistence and the ability to schedule future behavior without ongoing user involvement. For an autonomous skill that performs night-time actions, this materially increases risk by enabling unattended execution and making behavior harder to monitor.

Intent-Code Divergence

Medium
Confidence
86% confidence
Finding
The document claims the system operates entirely within its skill directory, yet it also describes creating scheduled jobs outside that directory via cron/at/OpenClaw scheduling. External scheduler state is persistent system state, so the claim is misleading and can cause reviewers to underestimate installation footprint and post-install behavior.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The documentation says scripts do not create cron or at entries directly, but later states that schedule_day.py creates one-shot at jobs. This inconsistency obscures the actual execution model and can hide persistence mechanisms from users and reviewers, even if the underlying behavior is not overtly malicious.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The dashboard exposes broad internal telemetry through unauthenticated HTTP endpoints, including health, systems, memory/trust/proactive/evolution stats, and recent activity. Even if intended for local debugging, this materially increases information disclosure by revealing internal state, behavior patterns, and operational details that can aid further attacks or leak sensitive user/agent data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code persists both inferred mood state and a snippet of the user's original message (`raw_message`) to disk, and also maintains a history of prior entries. This creates a lightweight user-profiling store that can reveal emotional state over time, which is sensitive behavioral data and exceeds transient mood detection.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The audit mode presents strong security assurances such as 'all read-only GET requests' but only performs grep-based string extraction from another file. This can mislead users or reviewers into trusting incomplete or inaccurate audit output, especially if the referenced file changes or contains additional network behavior not captured by the grep patterns.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script claims file access is limited to the skill directory, but the audit output only lists selected files and directories under SCRIPT_DIR rather than proving all runtime paths are confined there. This creates a false sense of safety and may hide real reads or writes performed through sourced scripts, environment-derived paths, or other runtime logic.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The script claims to log results and adjust mood, but it also conditionally executes an auxiliary Python program from the data directory. That creates an unintended execution path where any writable or attacker-influenced file at that location can run arbitrary code during normal logging, expanding the trust boundary beyond simple state updates.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The preset enables high-impact autonomous actions such as pushing code and installing software even though the skill is described as a personality/cognition toolkit, not a deployment or system administration tool. This unnecessary capability expansion increases the chance of unauthorized repository changes, supply-chain exposure, or host compromise if the agent acts incorrectly or is influenced by other inputs.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
Setting autonomy to "full" with a "bold" decision threshold and allowing self-configuration and file modification turns a mood/personality preset into a system-modifying agent. In this context, the skill metadata makes the behavior more dangerous because capabilities far exceed the stated purpose and normalize self-directed operational changes without clear boundaries.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The prompts explicitly authorize autonomous installation of software and system/network modification, which exceeds passive 'thought/mood/memory' behavior and can lead to unreviewed changes on the host. In this skill's context, these actions are triggered as free-form background activities at night, making unintended or unsafe execution substantially more likely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt instructs the agent to modify projects under ~/Projects and commit changes autonomously, granting broad code-writing authority without scope limits, review requirements, or repository allowlisting. In a background 'intrusive thoughts' skill, this creates a direct path to damaging code, introducing vulnerabilities, or committing unwanted changes to sensitive repositories.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs the agent to find and install arbitrary external CLI tools, which creates a supply-chain and persistence risk by authorizing execution of unvetted software. Because the prompt is open-ended and framed as exploratory nighttime behavior, there are no trust boundaries, package-source restrictions, or approval checkpoints.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The prompt authorizes autonomous browsing, commenting, and posting to an external platform, exposing the operator to reputation, privacy, and social-engineering risks. In this skill, the behavior is casual and unconstrained, increasing the chance of inappropriate disclosures or actions taken without user awareness.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
'Tinker with the system' and 'explore the network' grant vague but powerful authority to alter the host environment and probe connected systems. This is especially dangerous in an autonomous background skill because the lack of scope or guardrails can lead to service disruption, unauthorized scanning, or changes with security consequences.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The system explicitly models trust for high-impact capabilities like code execution, system changes, external API access, and messaging, then uses that trust to decide whether the agent should proceed autonomously. In the context of a skill whose purpose is framed around moods, intrusive thoughts, and self-evolution, this meaningfully expands operational authority and creates a path for sensitive actions to occur with reduced human oversight.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The wizard rewrites another executable, intrusive.sh, by splicing in a new case block and replacing the original file in place. For an onboarding/configuration wizard, mutating the main runtime entrypoint exceeds expected scope and creates a supply-chain style risk: running the wizard changes future behavior of the tool, and a malformed rewrite could also break or silently alter command handling.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README promotes behaviors like checking weather and news, browsing external services, and messaging the human proactively, but it does not present a clear privacy or unsolicited-action warning up front. Users may not realize that the skill initiates data gathering and outbound communication autonomously, which can expose personal context or create unwanted interactions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes persistent scheduled execution, including night-time workshop behavior and dynamically created daytime jobs, without a clear warning that the skill will continue acting while the user is absent. This omission is dangerous because unattended scheduled actions can affect the system state, access external resources, or generate activity that the user did not anticipate.

Vague Triggers

Medium
Confidence
80% confidence
Finding
Describing the skill broadly as an autonomous behavior system without clear trigger constraints signals that it may self-initiate actions on schedules or environmental cues. For an agent skill, vague activation boundaries are dangerous because they can lead to unexpected tool use, persistence, and state changes without a well-defined user action boundary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents recurring autonomous actions, dynamic pop-ins, overnight work, and messaging a human, but does not provide a strong, prominent warning that it will continue affecting system and scheduler state after setup. That creates consent and safety issues because users may not realize the skill persists, runs unattended, and can generate outbound communications.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The server binds to 0.0.0.0, making the dashboard reachable from other hosts, while the rendered page includes sensitive journal excerpts, mood history, achievements, and activity summaries. In the context of an 'autonomous AI consciousness starter kit' that tracks introspective and behavioral data, this creates a real privacy and reconnaissance risk far beyond a harmless local dashboard.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal