ClawHub

Brainstorming

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed design-workflow skill with an optional local browser companion, not hidden malware or an exfiltration tool.

Install this if you want a mandatory design-before-implementation workflow. Review generated specs and commits before pushing them, keep the visual companion bound to localhost unless you are on a trusted network, and know that browser option clicks are stored locally in the session .events file for the agent to read.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (9)

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The skill is described as a design/brainstorming aid, but it also instructs use of a browser-based 'visual companion' and references additional behavior that can include local server orchestration, browser interaction, and event transmission outside the declared scope. Hidden or under-declared operational behavior is dangerous because users may consent to a harmless-seeming planning skill while actually enabling interactive tooling with broader access to local resources and user activity.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script establishes a persistent WebSocket connection, queues and transmits UI events, and accepts server-side commands to alter browser behavior. For a skill whose stated purpose is brainstorming and intent exploration, this is unnecessary hidden telemetry and remote-control functionality that expands the trust boundary and creates an avenue for surveillance or abuse.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The client blindly trusts a WebSocket message with type 'reload' and immediately reloads the page. This gives the server an unnecessary remote control primitive that can disrupt user workflow, enable denial-of-service through reload loops, and facilitate delivery of changed content without a user-initiated refresh.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This file implements a live HTTP/WebSocket server, file watcher, browser-facing HTML injection, and event logging, which is materially broader than a brainstorming-only skill that should only help explore intent and design. The mismatch is dangerous because it creates an unnecessary network-exposed runtime surface that can collect user interactions and host dynamic UI content, increasing the chance of unauthorized access, data exposure, or abuse if the server is reachable beyond the expected local context.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The code accepts arbitrary WebSocket text messages, parses them as events, logs them to stdout, and persists selected events to a hidden file in /tmp. For a brainstorming skill, capturing and retaining user interaction data is unjustified and risky because it can collect sensitive choices or metadata without clear authorization, minimization, retention limits, or access controls.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The server serves the newest HTML file from a watched directory and exposes related files over HTTP, effectively acting as a local UI host. In the context of a brainstorming-only skill, this is an unnecessary capability expansion that can expose local content and render untrusted HTML/JavaScript, making the skill more dangerous than its declared purpose suggests.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Queued events are automatically sent over the WebSocket when the connection opens, with no indication in the code of user notice, consent, or data minimization. Silent transmission of interaction data is a privacy issue on its own, and using an unencrypted ws:// channel further increases exposure to interception or tampering on untrusted networks.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The click handler captures user interaction details including visible text, choice identifiers, element IDs, and timestamps, then transmits them to the server without warning. In a brainstorming context, option labels may contain sensitive design ideas, internal project names, or user preferences, so this collection exceeds what users would reasonably expect from a design-assistance skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs the agent to read browser interaction data from a `.events` file and use it as input, but it does not require any clear user-facing disclosure that clicks and selections are being logged. This creates a privacy and transparency issue because users may believe they are only interacting visually in the browser, while their behavior is being persistently recorded and analyzed alongside terminal responses.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal