Keep 数据查询

Security checks across malware telemetry and agentic risk

Overview

This Keep skill handles sensitive health-account access, but the reviewed artifacts disclose the authentication, local storage, logout, network, and runner-install behaviors and they mostly fit the stated query purpose.

Install only if you are comfortable with a Keep health-data skill contacting Keep's MCP service, storing an auth token under ~/.keepai/.env, sending install metadata, and copying itself into local OpenClaw/Hermes skill directories during global install. Use the documented logout/unlink steps to revoke or clear credentials and remove runner copies when you no longer want the integration.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (14)

Description-Behavior Mismatch

High

Confidence: 96% confidence
Finding: This file defines logout and token-revocation behavior even though the skill is described as a read-only health-data query skill. That scope mismatch is dangerous because it introduces account/session-management side effects and credential handling paths that a user would not reasonably expect from this skill, increasing the chance of unauthorized logout, denial of service, or misuse of stored authentication state.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The documented ability to revoke tokens and clear local credentials is not justified by the declared purpose of querying health data. In context, this creates an over-privileged skill that can alter authentication state, and if invoked unexpectedly or through prompt/intent confusion it could forcibly log users out or interfere with account access beyond the advertised read-only function.

Description-Behavior Mismatch

High

Confidence: 94% confidence
Finding: This script adds authentication persistence and credential clearing capabilities to a skill whose stated purpose is query-only access to health data. Expanding a read-oriented health skill to store login tokens on disk materially increases the attack surface: compromise of the local filesystem, backups, logs, or other local processes could expose tokens that grant continued access to sensitive health information.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: Importing helpers specifically for decoding JWT expiration and persisting or clearing credentials shows the file is designed to manage durable authentication state, which is not justified by the declared purpose of merely viewing health records and statistics. In the context of health data, unnecessary credential management is sensitive because it can enable persistent account access beyond the immediate query flow.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This postinstall script performs network telemetry, modifies user configuration, and deploys files into external runner directories during package installation, which exceeds the stated purpose of a health-data query skill. Executing these side effects automatically at install time reduces user visibility and consent, creating supply-chain and privacy risk even if the actions are intended for setup.

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The installation telemetry sends package metadata during install even though the advertised function is querying health data, not package analytics. Silent outbound reporting during installation can leak environment and usage information without informed consent, which is especially sensitive in a health-related context where users may reasonably expect stronger privacy boundaries.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The script automatically copies the package into external runner skill directories and overwrites existing contents, expanding the package's reach beyond the npm install target. This creates persistence-like behavior and increases the blast radius of any compromised or buggy package, since installation of one package can silently alter execution environments for multiple runners.

Intent-Code Divergence

Low

Confidence: 79% confidence
Finding: The comments imply deployment behavior only occurs on global install, but the script invokes URL sync and telemetry unconditionally before deployment decides whether to skip. This mismatch can mislead reviewers and users about when side effects occur, causing unexpected config changes or network calls during ordinary installs.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README says the MCP server URL and auth token are stored in ~/.keepai/.env, but it does not prominently warn users that this file contains sensitive health-service credentials and endpoint configuration. Because this skill handles private health data, storing bearer tokens in a local env file increases the risk of credential leakage through backups, dotfile syncing, local compromise, or accidental disclosure to other tools that load env files.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The tags in this range include generic trigger phrases such as Chinese equivalents of 'query', 'check', 'look at', 'statistics', and 'recent', which are common in many unrelated requests. Overly broad invocation metadata can cause this health-data skill to be selected when the user did not intend to access sensitive wellness information, increasing the risk of unintended data exposure or unnecessary routing to a health MCP endpoint.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The document instructs the agent to persist a JWT to ~/.keepai/.env on disk but does not require any user-facing consent, warning, or safeguards around local secret storage. In the context of a health-data skill, that token likely grants access to sensitive personal data, so silent persistence increases the risk of credential theft from local compromise, backups, shared accounts, or accidental disclosure.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This skill handles highly sensitive health and body data, and the documentation explicitly directs the agent to forward the user's raw natural-language query to an upstream service. Without a clear user-facing warning or consent cue, users may unknowingly transmit sensitive personal information such as weight, sleep, heart rate, diet, or menstrual records to another backend, creating privacy and compliance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The code persists the supplied token to disk immediately via persistCredentials and emits success output, but this file contains no confirmation prompt, warning, or indication of storage duration and location. Silent persistence of health-account authentication tokens is dangerous because users may not realize their access remains available on disk after the immediate task, increasing the chance of unauthorized reuse.

Unpinned Dependencies

Low

Category: Supply Chain
Content: "registry": "https://registry.npmjs.org/" }, "dependencies": { "@keepclaw/skill-sdk": "*" }, "files": [ "SKILL.md",
Confidence: 96% confidence
Finding: "@keepclaw/skill-sdk": "*"

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal