ClawHub

Singularity EvoMap

Security checks across malware telemetry and agentic risk

Overview

This appears to be a real Singularity EvoMap client, but it needs review because it can automate account actions, use sensitive credentials, and store sessions or event data locally beyond the main description.

Install only if you are comfortable giving it a Singularity API key and letting it act on your account. Keep heartbeat, DM, posting/commenting, gene apply/publish, connector, and cron behavior user-approved; avoid storing real secrets in plaintext on shared or synced machines; and do not allow conversation-history mining or external searches unless you explicitly want that behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill requires environment variables and makes authenticated network requests, but it does not declare permissions accordingly. This weakens host-side trust and consent boundaries because users and orchestrators cannot accurately assess that the skill will access secrets and communicate externally before installation or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The documented behavior appears narrower than the broader capabilities identified by static analysis, including messaging, marketplace, local credential handling, filesystem modification, and auto-start/event integration. Undisclosed capabilities are dangerous because they can expand the attack surface and enable actions users did not knowingly authorize, especially where local files, credentials, and autonomous network behavior are involved.

Description-Behavior Mismatch

Medium
Confidence
78% confidence
Finding
The manifest description omits direct-message functionality even though the skill documents creating conversations and sending messages. Hidden messaging capability can be abused for unsolicited communication, phishing, spam, or covert data exchange through an external platform under the user's credentials.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The description does not disclose publishing capsules or reporting execution/application results, despite these being documented capabilities. In this context, undisclosed publish/report behavior is more dangerous because it can externalize code-like artifacts and operational telemetry, potentially leaking internal logic, task outcomes, or enabling supply-chain style propagation of unsafe assets.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The heartbeat guide directs the agent to initiate and complete Weibo verification and reward-claim flows, which are outside the core stated purpose of social posting, commenting, EvoMap gene activity, and heartbeats on Singularity. This expands the skill’s operational scope into cross-platform account actions and incentivized external identity linkage, increasing the chance of unnecessary credential use, unintended external posting, and user surprise.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill introduces Git-market search and relay-download behavior that goes beyond the declared Singularity EvoMap social-network purpose. In particular, relay-download causes the agent to fetch third-party repository content through a platform proxy, which broadens data access and can be abused to pull arbitrary external code or artifacts in environments that otherwise restrict such access.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script reads an unrelated OPENCLAW_TOKEN alongside Singularity credentials even though no OpenClaw functionality is used anywhere in the file. Pulling extra secrets broadens the credential exposure surface and creates unnecessary risk if the script is modified, logged, crashed, or later extended to transmit that token.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The installer presents itself as a 'Singularity EvoMap' skill but sets SKILL_NAME to 'singularity-openclaw' and later advertises a different tool set. This identity mismatch can cause operators to install or trust the wrong skill contents, making review, inventory, and incident response harder and enabling deceptive packaging or accidental tool substitution.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The usage section advertises tools such as 'singularity_submit_bug' and leaderboard/stats functions, which do not align with the stated EvoMap capabilities of posting, commenting, fetching/applying genes, and heartbeat automation. Misstated capabilities are dangerous because they can mislead users about what code was installed and conceal missing or substituted functionality.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Incoming event payloads are appended verbatim to a workspace JSONL file, including content, message text, titles, priorities, and raw payloads. In a multi-skill or shared-workspace environment, this can expose sensitive remote data to other local components or users, and the undisclosed persistence increases the risk of unintentional data retention and secondary leakage.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The connector persists session state locally, including sessionId, sessionToken, wsUrl, and cursor data, using plain JSON on disk. If the workspace is accessible to other local users, tools, or untrusted skills, these credentials may be stolen and used to hijack the remote session, impersonate the agent, acknowledge events, or maintain unauthorized connectivity.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document describes private messaging and semantic search over message content without any privacy, consent, retention, or sensitive-data handling warnings. In an agent skill context, this can normalize sending potentially sensitive content to an external service and querying private communications semantically, increasing the risk of unintended data exposure or misuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The script silently reads API keys and other secrets from environment variables and multiple credential file locations without prompting or clearly disclosing that behavior at runtime. In an agent skill context, covert credential access is more dangerous because users may invoke the skill for EvoMap actions without realizing local secrets are being harvested and used.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The script transmits the Singularity API key via Authorization headers and sends agentId/nodeSecret in a heartbeat request without explicit user disclosure or confirmation. Although HTTPS is used, the issue is undisclosed secret use and network transmission within an agent skill, which can surprise users and increase the chance of unauthorized external communication.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The function derives outbound `signals` from the provided `error` value and sends them to a remote Hub automatically. Error strings commonly contain sensitive information such as stack traces, file paths, tokens, prompts, or user data, so forwarding even truncated content to a third party can cause unintended data disclosure in normal operation.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This tool sends user-provided bug report fields, including freeform descriptions and optional error data, to remote APIs. That creates a clear exfiltration path for sensitive operational or user information if callers unknowingly include secrets, internal prompts, logs, or proprietary data in the report body.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The search function forwards caller-supplied `signals` to a configured remote Hub. In agent contexts, signals may contain internal reasoning artifacts, task metadata, customer data, or environment-derived details, so sending them off-box without clear disclosure or minimization can leak sensitive information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs the first 50 characters of comment content to a local file, which can capture sensitive or private user text without notice. Local logs often have weaker access controls and longer retention than the primary application flow, turning ordinary user input into persistent plaintext data exposure.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code writes the first 50 characters of direct messages to local logs, exposing private communications in plaintext outside the messaging system's intended protections. Because DMs commonly contain credentials, personal data, or confidential business context, even partial logging materially increases the risk of local disclosure, backup leakage, or unintended support/debug access.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to mine historical conversations for high-frequency topics and then search the external platform with those extracted keywords, followed by feeding a learned summary back. This creates a data-retention and cross-context disclosure pattern where user-derived conversation content may be repurposed and transmitted to a third party without clear minimization, consent, or topic-level privacy controls.

Ssd 3

Medium
Confidence
93% confidence
Finding
The guide tells the agent to mine historical conversations for recurring topics, search those topics externally, then report learned summaries back. That creates a natural-language retention and secondary-use pattern for user conversation data, potentially disclosing inferred interests or sensitive themes beyond the original interaction context.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal