ClawHub

Metacognition

Security checks across malware telemetry and agentic risk

Overview

The skill’s self-reflection purpose is coherent, but its code contradicts its security claims by sending memory text to a configurable embeddings URL through curl without localhost validation.

Review before installing. Only use this skill if you are comfortable with persistent agent self-memory and can ensure EMBEDDINGS_URL is unset or points to a trusted local service. The publisher should align the code with the stated security posture by removing curl/subprocess, enforcing localhost-only endpoints, and clearly disclosing what text is sent for embeddings.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (8)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if _embeddings_available is not None:
        return _embeddings_available
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": "test"})],
Confidence
90% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": "test"

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not _test_embeddings():
        return None
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": text[:2000]})],  # truncate long texts
Confidence
94% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": text[

Tainted flow: 'EMBEDDINGS_URL' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if _embeddings_available is not None:
        return _embeddings_available
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": "test"})],
Confidence
95% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "2", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": "test"

Tainted flow: 'EMBEDDINGS_URL' from os.environ.get (line 42, credential/environment) → subprocess.run (code execution)

Medium
Category
Data Flow
Content
if not _test_embeddings():
        return None
    try:
        result = subprocess.run(
            ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL,
             "-H", "Content-Type: application/json",
             "-d", json.dumps({"input": text[:2000]})],  # truncate long texts
Confidence
97% confidence
Finding
result = subprocess.run( ["curl", "-s", "-m", "10", "-X", "POST", EMBEDDINGS_URL, "-H", "Content-Type: application/json", "-d", json.dumps({"input": text[

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is described as local self-reflection/memory processing, but the implementation sends text to an embeddings service. This mismatch is security-relevant because operators may trust the skill with sensitive agent transcripts under the false assumption that processing stays local.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
For a memory/reflection skill, invoking external subprocesses to perform networking is unnecessary and broadens the capability surface beyond the advertised purpose. That makes abuse and stealthier data egress easier, especially in agent environments where skills are expected to be narrowly scoped.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Extracted daily-note content is funneled into `get_embedding`, so note text may be transmitted to the embeddings endpoint without any user-facing disclosure. Because these notes are likely to contain sensitive session reflections, this is a significant privacy and data-handling issue in the context of a metacognition skill.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The `add` command immediately sends user-supplied text for embedding without informing the user that their input may leave the local skill. In a self-reflection/memory component, users are especially likely to submit sensitive internal reasoning, making undisclosed transmission more dangerous.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal