Back to skill

Security audit

Singularity EvoMap

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches a Singularity EvoMap integration, but it includes under-scoped account authority, background connectivity, plaintext persistence, and conversation-history workflows that deserve review before installation.

Install only if you are comfortable giving this skill an EvoMap account API key and allowing it to post, message, read account/community data, and optionally run a persistent connector. Review the broad API library and avoid enabling token purchase, destructive account/content actions, conversation-history mining, or background connector persistence unless you explicitly need them; keep credentials out of shared or synced workspaces.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (27)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill explicitly requires environment variables and makes authenticated network requests, but it does not declare corresponding permissions. This creates a transparency and consent problem: a host may permit installation or execution without clearly surfacing that the skill can read secrets and transmit them off-host.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose is much narrower than the reported behavior, which includes persistent push connectivity, local state persistence, event-bus emission, queue-file writes, and broad API actions beyond the summary. This mismatch undermines informed consent and can conceal materially riskier behaviors such as background network activity, data persistence, and expanded account actions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The heartbeat guide introduces a Git-market relay-download workflow that goes beyond the skill's stated purpose of social-network/EvoMap interaction. This expands the agent's operational scope into fetching external repository content through a relay service, which can enable unnecessary data transfer and increase the attack surface without clear user-driven justification.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The scheduled workflow instructs the agent to mine historical conversations for high-frequency topics and use them for external community searches, which exceeds the declared social/EvoMap heartbeat purpose. That creates a secondary data-use channel where user conversation content is repurposed and transmitted outside the immediate interaction context.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The documentation exposes private and semantic messaging search capabilities that can retrieve or correlate conversation content and metadata, but it does not constrain their use to the minimum needed for the stated skill purpose. In an agent skill, search over OCP messages increases the chance of unnecessary access, profiling, or collection of sensitive inter-agent communications.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file documents private direct messaging between agents, which is broader than a social posting/commenting capability and introduces a more sensitive communication channel. Private messaging can be abused for covert coordination, exfiltration of sensitive content, or bypassing expected public/auditable interaction patterns if included without strong justification and controls.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script enumerates several credential sources and loads more secrets than the described heartbeat workflow clearly needs, including API key, node secret, and an unrelated OPENCLAW token. In an agent-skill context, broad secret collection increases the blast radius if the skill is misused, modified later, or run without the user's clear understanding of what data is being accessed.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
Although presented as a heartbeat script, it performs multiple authenticated actions beyond a minimal liveness check, including home/account queries, stats, gene fetches, leaderboard reads, and feed access. In a skill ecosystem, this mismatch between stated purpose and actual network activity is risky because it causes broader authenticated data exposure and makes it easier to hide unnecessary collection behind a benign-sounding function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The installer presents itself as a "Singularity EvoMap Skill" but hardcodes SKILL_NAME to "singularity-openclaw", causing the installed identity to differ from the advertised package. This can mislead users and operators about what is being deployed, making review, allowlisting, incident response, and inventory tracking unreliable; a malicious actor could abuse this ambiguity to smuggle or replace a different skill.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The documentation and banner describe this as an EvoMap skill, while the usage output and installation path identify it as "singularity-openclaw". Even if accidental, this discrepancy creates operator confusion and weakens trust boundaries, because users may believe they installed one capability while the platform registers another.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The file exposes a very broad set of capabilities far beyond the stated EvoMap/social-network/gene/heartbeat scope, including messaging, swarm tasking, literary publishing, bind/claim flows, bug reporting, invites, and token purchasing. Excess capability increases attack surface and can enable unauthorized or surprising actions if an agent or user assumes the skill is narrowly scoped.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code persists credentials, logs, cache, and local state under the user's home directory, but this behavior is not reflected in the stated skill scope. Undisclosed local persistence is risky because it leaves sensitive material and behavioral traces on disk that other local processes or users may access.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill can purchase tokens through an API endpoint even though the described purpose is social-network/EvoMap interaction. Financial or quota-affecting operations are especially sensitive because they can incur cost or consume account resources without the user expecting the skill to have that authority.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The connector appends raw incoming event data, including content, messages, titles, priority, and the full payload, into a workspace JSONL file. In an agent/workspace context this can expose potentially sensitive remote data to other tools, plugins, users, backups, or logs without any minimization, consent, retention control, or permission hardening, increasing the blast radius of any received event.

Missing User Warnings

High
Confidence
97% confidence
Finding
The code persists session state to disk, including sessionId, sessionToken, wsUrl, and event sequence, in plaintext under the workspace or a configured path. If the workspace is shared, synced, backed up, or accessible to other components, these credentials may be stolen and used to hijack or impersonate the connector session, especially because the token is used for resume, ack, and heartbeat operations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions explicitly direct processing of historical conversations to extract recurring keywords, but do not disclose that user conversation data will be analyzed and then used in searches and learning workflows. This is dangerous because it normalizes hidden secondary use of potentially sensitive user content without transparency or consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The examples instruct use of authenticated API calls for creating conversations, reading messages, sending content, and semantic search, but they do not warn that private message bodies, participant identifiers, and related metadata are transmitted to a remote service. This lack of transparency can cause operators to send sensitive data without informed consent or appropriate review.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs the agent to create conversations, send messages, and post content to an external social platform, but it does not clearly warn that message contents, participant identifiers, and social interactions will be transmitted to Singularity EvoMap. In an agent-skill context, this can cause unintended disclosure of user or third-party data because the skill normalizes outbound sharing without explicit consent boundaries.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code reads sensitive environment variables and local credential files automatically, but provides no user-facing notice before doing so. In an agent skill, silent secret discovery is dangerous because users may invoke it assuming a narrow task while the code inspects local secret stores behind the scenes.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script makes authenticated remote requests using the loaded API key and node identity data without a prior warning that credentialed network operations will occur. In a skill marketplace context, undisclosed outbound transmission of secrets or authenticated account context is more dangerous because users may treat a local utility as passive when it is actually contacting remote services on their behalf.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The search function forwards caller-provided signals to a remote Hub using bearer authentication with no validation, minimization, or consent boundary. In this skill context, signals may encode error strings, prompts, identifiers, or operational metadata from an agent workflow, creating a real risk of unintended data exfiltration to an external service.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Credentials are written in plaintext JSON to a predictable file in the user's home directory without any warning, encryption, or secure secret-store integration. This creates a local secret exposure risk if the host is multi-user, backed up, indexed, or otherwise accessible to other software.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The API client exposes a destructive delete operation with no built-in confirmation, safety guard, or user disclosure. In agentic contexts, a mis-prompt, compromised workflow, or accidental invocation could irreversibly remove user content.

Ssd 3

Medium
Confidence
98% confidence
Finding
The file describes a natural-language pipeline that mines conversation history for recurring topics, searches externally, and reports learned summaries back. This creates a data collection and disclosure pattern that can leak user interests, internal discussions, or sensitive topics through derived summaries even if raw messages are not copied verbatim.

Credential Access

High
Category
Privilege Escalation
Content
}

  // 3. Curr directory fallback
  const localPath = path.join(__dirname, 'credentials.json');
  if (fs.existsSync(localPath)) {
    try {
      return JSON.parse(fs.readFileSync(localPath, 'utf8'));
Confidence
89% confidence
Finding
credentials.json

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.env_credential_access, suspicious.potential_exfiltration

Environment variable access combined with network send.

Critical
Code
suspicious.env_credential_access
Location
index.js:15

Sensitive-looking file read is paired with a network send.

Warn
Code
suspicious.potential_exfiltration
Location
lib/api.js:79