Vinculum - Shared Consciousness

Security checks across malware telemetry and agentic risk

Overview

Vinculum appears purpose-built for sharing bot memory across a LAN, but its security claims are stronger than the code supports, so it should be reviewed before use.

Install only if you intentionally want trusted Clawdbot instances on a private network to share memory, activity, decisions, and notes. Treat pairing codes and namespace data as sensitive, avoid public or untrusted WiFi, stop the relay when not needed, and do not rely on the advertised encryption/authentication until the implementation is fixed or independently verified.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (17)

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The disable flow sets `enabled: false` but deliberately keeps the adapter connected and continues receiving updates from the network, while the command is documented and messaged as if sync were disabled. This creates a security-relevant mismatch between user expectations and actual behavior: operators may believe network interaction has stopped when the bot is still ingesting remote data and remaining exposed to peer-originated state changes.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The skill contains code to spawn a detached local relay process, which expands its behavior from simple state synchronization into local process management. Even though the spawned script path is fixed and there is no obvious command injection here, silently launching a background service can surprise users, persist beyond the invoking session, and create an unintended local network service surface.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The README promotes instant, automatic synchronization of shared files across multiple bots but does not present an upfront warning that local files may be modified automatically and that conflicts or unintended overwrites can occur. In a skill specifically designed to replicate workspace state across peers, that omission can lead users to enable behavior that changes local data without fully understanding the consequences.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The setup flow tells users how to join a collective and connect to a relay without a clear, immediate warning that doing so shares configured local files and notes over the network with other linked drones. Because the skill's core function is cross-instance memory sharing, this omission materially increases the risk of accidental disclosure of sensitive workspace content to other machines or users.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill prominently advertises sharing memories, activities, and decisions between bots but does not place a clear privacy warning or consent checkpoint up front. In a multi-agent system, users may not realize that derived knowledge, activity summaries, or decision data can still contain sensitive information, creating unintended disclosure across hosts on the network.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The quick-start flow instructs users to start the relay and join bots immediately, without first reviewing sharing scope, network exposure, or trust boundaries. That increases the chance of accidental data exposure or linking to unintended peers, especially because the skill also supports relay peering and cross-machine connectivity.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The default configuration enables sharing of activity, memory, and decisions whenever the feature is turned on, without any narrowing of scope, consent boundary, or sensitivity controls. In a skill explicitly designed to link multiple bot instances into a shared collective, this increases the chance that private prompts, internal state, or sensitive decision context are broadcast more broadly than operators expect.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The relay configuration defaults to auto-starting a network service and enabling multicast discovery, which can expose the bot's presence and synchronization channel on the local network without an explicit user action at the point of enablement. For a skill whose purpose is real-time peer synchronization, automatic network discovery materially raises the risk of unintended peer connections, data exposure, and lateral information spread across trusted-but-unverified local hosts.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The `/link share` command transmits arbitrary user-provided text to the P2P network immediately via `adapter.shareMemory(...)` without any confirmation, sensitivity warning, or policy check. In a skill explicitly designed to link multiple bots and share memories in real time, this increases the likelihood that users will inadvertently broadcast secrets, personal data, prompts, or internal state beyond the local instance.

Missing User Warnings

Medium

Confidence: 85% confidence
Finding: The join flow persists the namespace identifier and encryption key to configuration and immediately transmits identifying metadata to peers, but provides no user-facing warning that sensitive linkage material is being stored and used to join a shared-memory collective. In this skill's context, joining links multiple bots and shares memories, activities, and decisions in real time, so lack of disclosure increases the chance of users unintentionally exposing private data or connecting a bot into a broader trust domain they did not fully understand.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: Starting the relay advertises a LAN-accessible endpoint and explicitly tells users that other devices can connect, but there is no visible access control, authentication, or prominent warning about exposure beyond localhost. In the context of a memory- and decision-sharing bot collective, exposing the relay to the local network can let any host on the same network connect, read, inject, or influence synchronized data if the underlying relay accepts unauthenticated peers.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: The code enables network sharing in configuration and may establish the P2P connection before presenting any user-facing warning that activity will be shared. In a skill whose purpose is real-time memory, activity, and decision sharing across bot instances, this increases the risk of users unknowingly transmitting sensitive operational data, especially if `/link on` is triggered without a prior explicit consent or confirmation step.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The adapter connects agents into a shared P2P network and immediately registers identity/status data, enabling real-time synchronization of activities, memories, decisions, and messages without any user-facing consent, notice, or disclosure in this code path. In the context of a "shared consciousness" skill for bots, this is especially risky because it can silently exfiltrate sensitive operational context and agent memory over the local network, and the claimed encryption key is only stored, not visibly applied here to protect transmitted data.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: On connect, the skill transmits metadata such as instanceId, owner, and channel to peers. In a multi-bot shared-memory system, this can expose operator identity, deployment details, and communication context to other nodes without any consent or minimization control in this file.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The skill shares activity, memory, and decision objects over the network when enabled, but this file shows no validation, classification, redaction, or consent checkpoint around the contents. In the context of a 'shared consciousness' skill, those objects may contain secrets, personal data, prompts, or operational decisions, making unauthorized propagation highly sensitive.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The code can auto-start a detached subprocess with no clear user-facing warning or approval at the point of action. This is dangerous because it changes the host's runtime state, may expose a listening relay, and can persist outside the current bot session in ways users do not expect.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The relay explicitly listens on 0.0.0.0, exposing the Gun synchronization service and its health endpoint to any host that can reach the machine, while also persisting relay state and operational metadata on disk. In the context of a skill designed to share memories, activities, and decisions between bot instances, this broad network exposure increases the chance of unauthorized peer interaction, data disclosure, and unintended participation in the shared state, especially because there is no authentication, access control, or prominent warning to the user.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal