ClawHub

EFT - Emotional Framework Translator

Security checks across malware telemetry and agentic risk

Overview

This skill appears locally focused and not malicious, but it automatically records agent responses and exposes recent history through unauthenticated local HTTP APIs.

Install only if you are comfortable with the skill observing agent responses and keeping a local history. Avoid using it in sessions with secrets, personal data, regulated data, or proprietary work unless you can restrict gateway access to trusted local clients, remove wildcard CORS or add authentication, choose a protected log path, verify the Rust/Python engine source, and define a way to purge retained logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill advertises broad agent-response interception and external engine integration, yet declares no permissions while indicating environment/code capabilities. That gap undermines user consent and platform policy enforcement because operators may not realize the skill can access runtime context or environment-derived data during setup or execution.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
This is a true security-relevant mismatch: the skill is presented as an emotion analyzer, but the described behavior includes persistent logging, metadata collection, HTTP exposure, and loading code from external desktop paths. Hidden data retention and externally sourced code substantially increase the attack surface and can lead to privacy leakage, unauthorized local access, and supply-chain risk.

Description-Behavior Mismatch

Low
Confidence
88% confidence
Finding
The plugin extracts not only assistant text but also model name, token counts, latency, tool-call count, and session key, then stores them with analysis results. This broadens collection beyond emotion analysis and can expose operational metadata that aids profiling, correlation of sessions, or leakage of internal identifiers if the log or API is accessed.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The plugin registers unauthenticated HTTP endpoints, allows any origin via CORS on API responses, and exposes latest/history data while also accepting arbitrary text for analysis. This creates a local data exposure surface and a cross-origin reachable interface that other websites or local processes may query, which is not necessary for core background analysis.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documentation explicitly states the system intercepts every AI agent response and later shows that the hook captures text, model, tokens, latency, and tool calls. In an agent environment, this can expose sensitive prompts, outputs, secrets, and user data through pervasive monitoring without a prominent upfront privacy warning or consent model.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The dashboard section promotes real-time visibility, logs, and history views but does not clearly warn that analyzed responses are stored locally and accessible via API/history endpoints. This increases the chance operators unknowingly retain and expose sensitive model outputs or user content beyond the original interaction.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
A skill that hooks into every AI agent response effectively performs broad monitoring of potentially sensitive prompts, outputs, and derived metadata. Without an explicit privacy warning, retention policy, and scope limits, users may unknowingly expose secrets, personal data, or proprietary content to logging and dashboard surfaces.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The UI explicitly tells users that agent responses are captured automatically, yet provides no notice, consent flow, or warning about monitoring of potentially sensitive model outputs. In the context of an emotion-analysis skill that inspects every response, this creates a real privacy and surveillance risk, especially if users or operators may not understand that prompts and outputs are being retained and analyzed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The plugin persistently logs analyzed agent output, sentence-level results, metrics, session-related metadata, and a preview of the response to a JSONL file on disk without any consent or warning mechanism. If responses contain secrets, personal data, or sensitive business content, this creates durable local leakage and increases blast radius from host compromise or casual local access.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The latest and history endpoints return stored analysis data without authentication, and the responses include wildcard CORS headers. That means remembered conversation-derived content and associated metadata can be retrieved by unauthorized local clients and potentially by web pages able to reach the service, making the stored data materially easier to exfiltrate.

Ssd 3

High
Confidence
98% confidence
Finding
The plugin builds a rich record containing emotional analysis, sentence data, metrics, process metadata, and a preview of the analyzed text, then stores it persistently in memory and on disk. In the context of an agent plugin that observes assistant outputs, this effectively creates a shadow transcript and metadata trail, which becomes a significant confidentiality risk if users assume outputs are ephemeral.

Ssd 3

High
Confidence
99% confidence
Finding
These endpoints disclose the most recent and historical remembered records derived from agent outputs with no authentication and permissive CORS. Because the plugin has already persisted conversation-derived content, the HTTP API turns passive local retention into an active exfiltration interface, substantially increasing exploitability and real-world data leak risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal