ClawHub

X1 Vault Memory

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its restore path can overwrite workspace files too broadly without a preview or enforced allowlist.

Review before installing. Use only a dedicated low-balance wallet and a minimally scoped Pinata token, do not back up secrets or regulated data in agent memory, and restore only CIDs you created and trust. Full restore can overwrite workspace files; prefer selective restore and keep a local copy before restoring.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The backup routine reads a local blockchain wallet secret key from wallet.json and repurposes it as encryption input for backup material. Even though the key is not explicitly exfiltrated, accessing unrelated high-value credentials expands the blast radius of the skill and creates a dangerous coupling: compromise of the backup workflow or logs/errors could expose wallet material and loss of the wallet secret would also weaken backup confidentiality.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The restore path untars attacker-controlled archive contents into the workspace root, which is broader than the skill's stated purpose of restoring agent memory. Even though the payload is encrypted and checksum-verified, a malicious or compromised backup can overwrite arbitrary workspace files, enabling code tampering, configuration poisoning, or persistence in future agent runs.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages backing up highly sensitive agent files (identity, instructions, user profile, and memory) to third-party infrastructure such as IPFS/Pinata and anchoring metadata on-chain, but it does not clearly warn users what categories of local data will leave the system or the privacy implications of doing so. Although the data is described as encrypted, the skill still transfers sensitive material to external services and creates durable external references, which can expose users to privacy, compliance, and data-handling risks if they misunderstand what is being uploaded.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code silently accesses wallet credentials with no explicit consent, prompt, or disclosure to the user. In an agent skill context this is risky because users may not expect backup functionality to touch blockchain secrets at all, and undisclosed access to sensitive local credentials undermines trust and can conceal abusive behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill uploads the encrypted backup to IPFS without prior user warning or confirmation. Even though the payload is encrypted, it contains the agent's identity and memory archive, and publishing ciphertext plus metadata to a public or third-party content network is still a sensitive data transfer that users should explicitly authorize.

Missing User Warnings

Low
Confidence
79% confidence
Finding
The code anchors the backup CID to the X1 blockchain without advance disclosure, creating an immutable public record tied to the backup event. While the anchored value is only a CID, this can still reveal timing, usage patterns, and a persistent link to stored encrypted data, which is privacy-relevant in the context of agent memory backups.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code restores archive contents directly into the workspace without any confirmation, preview, or overwrite warning. In a skill context, this can lead to silent replacement of files and unexpected state changes, increasing the chance of destructive or malicious restoration when a user supplies an untrusted CID.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This code sends arbitrary provided file or buffer contents to an external third-party service (Pinata/IPFS) without any in-code consent, policy gate, destination allowlisting beyond the hardcoded host, or user-visible disclosure. Even if the file is intended to be encrypted, this function will upload whatever bytes it receives, so misuse or upstream mistakes could cause sensitive data exfiltration to a persistent public-addressed storage network.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal