ClawHub

Kakaotalk

Security checks across malware telemetry and agentic risk

Overview

This KakaoTalk bot skill is purpose-aligned but needs review because relay mode can expose local memory and chat content through cloud services and unvalidated callbacks.

Install only after reading the Relay-mode behavior carefully. Use Basic mode if you only need a chatbot. If using Relay mode, keep secrets out of MEMORY.md, use a dedicated Supabase project with least-privilege credentials, require Kakao signature validation, restrict callback destinations, avoid exposing the local server publicly unless needed, and disable the launchd/ngrok helpers when not in active use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (17)

Tainted flow: 'req' from os.environ.get (line 275, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json; charset=utf-8"},
            method="POST",
        )
        with urllib.request.urlopen(req, timeout=10) as resp:
            _log(f"📤 콜백 전송 완료: status={resp.status}, url={callback_url[:60]}")
    except Exception as e:
        _log(f"❌ 콜백 전송 실패: {e}")
Confidence
90% confidence
Finding
with urllib.request.urlopen(req, timeout=10) as resp:

Tainted flow: 'req' from os.environ.get (line 124, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
"Content-Type": "application/json"
    })
    try:
        with urllib.request.urlopen(req) as resp:
            print(f"✅ 발송 성공: {text[:20]}...")
            return True
    except Exception as e:
Confidence
95% confidence
Finding
with urllib.request.urlopen(req) as resp:

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill declares environment variables and instructs users to run deployment and local scripts, implying network, shell, and local system capabilities, but it does not declare corresponding permissions. This creates a transparency and consent problem: users may trust the skill description without realizing it can interact with local files, external services, and privileged secrets.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
User conversations are forwarded to Google's Gemini API, which is a third-party processor outside the local Kakao/Ollama path described by the skill. In a messaging context, chats may contain sensitive personal or business information, so undisclosed external forwarding creates a real data-sharing and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This component loads local environment secrets and is designed to access local files, expanding its capabilities beyond a simple KakaoTalk channel responder. In this skill context, optional local-access mode makes such behavior somewhat explainable, but it still increases blast radius and should be explicitly scoped and gated because the watcher also forwards data externally.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill directly invokes Gemini, introducing an additional third-party data sink beyond KakaoTalk and Supabase. In context, an AI agent may need an LLM, but the undeclared external dependency matters because user content and local memory are transmitted to it.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The description explicitly advertises optional connection to the local computer with file and memory access, but it does not present a prominent privacy and security warning. Because the relay mode bridges a public chat channel to a local watcher, users may expose sensitive files, conversation history, or system context through ordinary chat prompts.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The relay-mode example directly encourages reading files on the user's computer from KakaoTalk, yet provides no immediate warning about data leakage, prompt abuse, or accidental disclosure through the messaging channel and backend relay. In this context, the feature is more dangerous because the user interface is a chat app, which lowers friction for high-risk requests and can normalize unsafe access to local data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
In relay mode, the skill transmits and stores user_id, utterance, and callback_url in Supabase without any user-facing disclosure or consent flow in the code. Because this skill is explicitly described as potentially connecting to a local computer with file/memory access, undisclosed forwarding of chat content is more sensitive than a typical chatbot integration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill sends user utterances to the Gemini API with no user-facing warning, consent, or privacy disclosure in the code path. For a messaging-channel skill, users may reasonably expect first-party handling, so silent transmission of conversation content to a third-party model provider creates a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The server logs webhook activity and user utterances to a local plaintext log file without any apparent notice, minimization, or retention controls. Messaging data often contains sensitive content, and plaintext persistence broadens exposure to local users, backups, log shipping systems, and post-compromise data theft.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends user message content to external LLM services, including Gemini, without any explicit warning or consent mechanism. In a KakaoTalk channel setting, users may reasonably assume messages stay within the service operator's stack, so undisclosed transfer increases privacy, contractual, and regulatory risk.

Missing User Warnings

High
Confidence
98% confidence
Finding
The watcher reads local MEMORY.md content and injects it into prompts sent to an external Gemini API without notice, filtering, or consent. That creates a direct confidentiality risk: any sensitive notes, secrets, or personal data in local memory can be disclosed to a third party whenever a user message is processed.

Ssd 3

Medium
Confidence
95% confidence
Finding
The log line records user utterance content in plain language, directly persisting whatever the user sends. Because chat inputs commonly include personal, financial, operational, or credential-like data, this creates a straightforward data exposure path and makes any local compromise or log access more damaging.

Ssd 3

Medium
Confidence
90% confidence
Finding
The application stores per-user conversation history in memory without any filtering for secrets or sensitive personal data. Even though storage is bounded, retaining full recent chat content increases blast radius for memory inspection, debugging exposure, crashes, and unintended reuse of sensitive context in later prompts.

Ssd 3

Medium
Confidence
97% confidence
Finding
User messages are combined with local memory and forwarded verbatim to the external LLM, enabling plain-language leakage of both stored local content and user-provided data. In this skill, the optional local-file access makes the issue more dangerous because the retrieved memory may contain highly sensitive workstation data unrelated to the chat task.

Session Persistence

Medium
Category
Rogue Agent
Content
1. [Supabase](https://supabase.com) 프로젝트 생성.
2. **SQL Editor**에서 아래 쿼리 실행:
   ```sql
   create table kakaotalk_queue (
     id bigint generated by default as identity primary key,
     user_id text not null, utterance text not null, callback_url text,
     status text default 'pending', response text, created_at timestamptz default now()
Confidence
83% confidence
Finding
create table kakaotalk_queue ( id bigint generated by default as identity primary key, user_id text not null, utterance text not null, callback_url text, status text default 'pending',

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal