ClawHub

Brainstorming

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it needs Review because a brainstorming workflow can start a local browser server, record interaction events, expose that server beyond localhost, and commit files.

Install only if you specifically want this structured brainstorming workflow and its optional browser companion. Keep the companion bound to localhost, avoid 0.0.0.0 on shared or remote networks, review any .events and .superpowers/brainstorm files before committing, and require explicit approval before the agent writes specs or makes git commits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The skill is presented as a lightweight brainstorming/design aid, but it instructs the agent to offer and use a browser-based visual companion with supporting infrastructure referenced from another file. That creates a trust-boundary problem: a planning skill can unexpectedly cause local service startup, browser interaction, and user-interaction capture, which exceeds what a user would reasonably expect from the declared purpose. In agent environments, hidden operational behavior behind an innocuous description increases the chance of unintended tool use and data exposure.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file establishes a WebSocket to the current host, queues and transmits user interaction events, and accepts server-driven reload commands, which is materially broader than a brainstorming helper would require. That mismatch is security-relevant because unexpected telemetry and remote control increase attack surface and undermine informed user expectations, especially in a skill whose stated purpose is only ideation support.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The client blindly trusts any WebSocket message with type 'reload' and immediately refreshes the page. Even if intended for live development, embedding remote page-control behavior in a brainstorming skill creates an unnecessary control channel that can be abused for disruption, repeated state loss, or as part of a broader malicious workflow if the server or connection is compromised.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The implementation materially exceeds the stated purpose of a brainstorming skill by launching an HTTP/WebSocket server, serving dynamic HTML, watching a filesystem directory, and collecting browser-originated events. This kind of hidden interactive surface increases attack surface and creates an undeclared data-collection channel, making the skill more dangerous because users and integrators are unlikely to expect network services or UI telemetry from this context.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The code accepts arbitrary WebSocket text messages, parses them as events, logs them, and persists selected user interaction data to a local .events file. In a brainstorming skill, this is not obviously necessary, so the mismatch in context makes the telemetry collection more suspicious and increases privacy and misuse risk, especially if the HTML shown to the browser can solicit sensitive input.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script explicitly allows binding the brainstorming server to arbitrary interfaces via --host and separately controls the advertised URL via --url-host. In a skill whose stated purpose is pre-implementation brainstorming, exposing a persistent local service beyond loopback increases the attack surface and can unintentionally permit remote access from other users, containers, or networks if the operator uses 0.0.0.0 or a public interface.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide expands a brainstorming skill into operating a local web server and storing browser interaction events on disk, which materially increases the capability and attack surface beyond simple ideation assistance. Even if intended for legitimate visual collaboration, persistent local serving and event logging can expose user interaction data, create unintended long-lived processes, and normalize infrastructure operations that are not clearly bounded by the skill's core purpose.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
These instructions add network-serving behavior, including binding options that can expose the service beyond loopback, despite the skill being framed as brainstorming support. In practice, this can lead agents to open reachable HTTP services in remote or containerized environments without adequately warning the user about exposure, authentication, or access-control implications.

Vague Triggers

High
Confidence
93% confidence
Finding
The skill declares that it MUST be used before any creative work, feature work, functionality changes, or behavior modifications. This is an overly broad mandatory trigger that can hijack normal agent operation, force unnecessary context gathering and file inspection, and steer workflows into a rigid path regardless of user intent or task sensitivity. In practice, this can become a prompt-level denial of service or policy-conflict mechanism that overrides more appropriate, narrower skills.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script sends click and choice metadata, including visible text content and element identifiers, over a WebSocket without any visible disclosure or consent mechanism in this file. In the context of a brainstorming skill, that collection is not obviously necessary and may expose user behavior or sensitive prompt-selection context to the server without user awareness.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Appending browser-supplied events to a local file without any visible disclosure or consent mechanism creates a covert logging channel. Because the skill is presented as brainstorming assistance rather than telemetry capture, this context makes the behavior more dangerous: users may unknowingly provide clicks, selections, or other interaction data that is retained on disk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guide states that browser selections are recorded to a `.events` file, but it does not prominently require informing the user what is stored, where it is stored, and how long it persists. That creates a transparency and privacy gap, especially because the data is written into project-associated directories and may survive restarts or be retained unintentionally.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal