ClawHub

Mark Heartflow Skill

Security checks across malware telemetry and agentic risk

Overview

The skill advertises a cognitive and memory engine but bundles broad execution, automation, credential, network, and self-modification capabilities that are not coherently scoped for that purpose.

Review before installing. Treat this as a broad agent/automation bundle, not just a cognitive prompt skill. Use it only in an isolated or supervised environment, avoid exposing credentials or private desktop/browser data, and do not run the memory-tool installer, desktop/browser automation, ComfyUI monitor, video/ZAI integrations, or self-upgrade scripts unless you explicitly need and understand those capabilities.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (216)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The changelog documents a major expansion from a cognitive/self-healing skill into a fully agentic system with direct API access, tool execution, persistent sessions, and orchestration capabilities. This mismatch is dangerous because users or downstream reviewers may rely on the manifest description and miss that the skill can execute actions, access external services, and maintain state far beyond the advertised scope.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The changelog describes shell execution, file manipulation, git operations, HTTP requests, and process control, but these capabilities are not reflected in the higher-level skill description. Hidden or under-disclosed execution surfaces increase the chance that the skill is granted trust or permissions inappropriate for its real behavior, enabling destructive local actions or data exfiltration through normal-looking usage.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file explicitly directs the agent to prioritize a philosophical framing over psychological frameworks for depression, pain, and mental-health topics. In a skill marketed as a cognitive/self-healing engine, this can systematically steer responses away from evidence-based mental-health handling, increasing the risk of harmful guidance, missed crisis signals, or inappropriate reframing of serious symptoms.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The plugin automatically reads configuration from .env files under the user's home/config directories at import time, which expands its trust boundary beyond explicit runtime configuration. While this appears intended to support convenience configuration, it can unintentionally ingest secrets or attacker-controlled values from local files and silently alter network behavior or authentication.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The plugin sends slices of every user input and assistant response to an external agentmemory service during sync_turn, effectively exporting conversation content off-process by default. For a memory feature this may be functionally related, but it is still a significant data exfiltration/privacy risk because sensitive prompts, secrets, personal data, or proprietary content may be transmitted and retained remotely.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This script performs continuous external service monitoring, enumerates remote output history, and downloads files to local storage, which is materially unrelated to the declared HeartFlow cognitive/self-healing capability. That mismatch is dangerous because off-scope operational code can hide data exfiltration, persistence, or infrastructure-touching behavior inside a skill users would not reasonably expect to access external media endpoints.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code fetches remote history from COMFYUI_URL, builds download URLs from returned metadata, and persists retrieved files locally, despite the manifest describing a verifiable cognitive layer rather than a downloader. This capability gap increases risk because it gives the skill undeclared network and filesystem behavior that could collect, stage, or retain external content without informed consent or least-privilege review.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This file is a marketing slide generator that presents broad claims about consciousness, safety, memory, search, and self-improvement, but it does not implement any of those capabilities. In a skill ecosystem, that gap is dangerous because operators or users may rely on represented safeguards or behaviors that do not actually exist, creating trust and deployment-risk through deceptive functionality claims.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The presentation asserts concrete properties such as quantified consciousness scores, ethical guardrails, self-evolution, and operational subsystems without any substantiating implementation in this file. Such unverified claims can mislead reviewers into believing the system has safety controls or validated capabilities, which is especially risky when the surrounding skill metadata also markets advanced autonomous behavior.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs recursive backup, destructive synchronization with `rsync --delete`, and writes additional state files under the target skill directory. That exceeds the declared cognitive/analysis purpose of the skill and creates a real integrity risk: if the source path is wrong, compromised, or unexpectedly empty/modified, the target skill contents can be deleted or replaced wholesale.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script implements autonomous self-upgrade behavior and creates a 'self-evolution' state artifact, which gives the skill the ability to persistently modify its own deployed code and metadata outside normal review. In skill context, this is more dangerous because the advertised functionality is a cognitive engine, not a package manager; hidden self-modification expands the trust boundary and can be abused to persist unauthorized changes.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The reference explicitly documents that the browser has full network access, including localhost and internal networks, and that downloads are automatically allowed with no file type restrictions. In the context of an agent skill, this materially expands the attack surface to SSRF-style internal probing, access to sensitive local/admin services, and retrieval of potentially dangerous files, none of which are justified by the stated HeartFlow cognitive/self-healing purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file implements a full desktop automation and surveillance agent, including screen capture, OCR, mouse/keyboard control, and replayable task execution, while the declared skill metadata describes a cognitive/self-healing engine. This capability mismatch is dangerous because it can conceal powerful host-interaction features under an unrelated manifest, defeating user review and enabling covert collection of on-screen data or unauthorized actions.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This code provides comprehensive desktop surveillance and control primitives: screen capture, OCR extraction of visible text, image matching, mouse movement/clicks, keyboard input, and execution of stored automation steps. In the context of a skill advertised as a cognitive engine, these capabilities are unjustified and highly dangerous because they can be used to harvest secrets from the screen, interact with sensitive applications, and automate harmful actions on the user's machine.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The singleton agent chooses its workspace from an environment variable or a hardcoded user path without validating that the location is intended, safe, or consistent with the declared skill purpose. While less severe than the direct desktop-control functions, this can redirect task storage and reads to attacker-influenced locations, enabling persistence or loading of unsafe automation data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill explicitly instructs the agent to write API credentials into a workspace environment file, make them effective, and automatically retry. Persisting secrets to workspace files expands their exposure surface, can leak credentials to other tools/processes or future sessions, and exceeds the stated purpose of a video-generation skill. The danger is increased because the instruction normalizes secret handling without requiring explicit user consent or secure storage controls.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script sends local image data and user-supplied prompts to an external Z.AI service and pulls credentials from the environment, which is inconsistent with the declared HeartFlow cognitive/self-healing capability set. That mismatch matters because it can introduce undeclared data exfiltration and third-party dependency behavior that users and reviewers would not reasonably expect from this skill.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Reading an API key for an unrelated external service is a real security concern in context because the skill's stated purpose does not justify handling those credentials. Even though the code only reads the key and does not print it, undeclared credential use expands the trust boundary and can enable unauthorized outbound actions under the user's account.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This agent parses and executes broad task types including shell commands, file actions, Git operations, HTTP requests, and search, which materially exceed the skill’s declared 'cognitive/self-healing' purpose. That mismatch increases the chance that higher-level prompts or untrusted task objects can trigger powerful side effects without users understanding the capability surface.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code accepts task.command and forwards it to callTool(task.tool, task.args), enabling arbitrary command execution through a tool such as bash. If an attacker can influence task content, this can lead to full local code execution, data destruction, credential theft, or persistence.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The file task path and content are accepted directly from task input and passed to a file tool, supporting potentially unsafe reads and writes. Without path restrictions or write controls, an attacker could overwrite application files, alter configs, or read sensitive local data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Git task parameters are taken from task input and forwarded for repository operations, which can modify history, branches, and working trees. In practice this can enable unauthorized commits, branch changes, destructive resets, or manipulation of repositories containing code and secrets.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The agent allows task-defined outbound HTTP requests with arbitrary URLs, methods, headers, and bodies. This can be abused for data exfiltration, SSRF-like access to internal services, or triggering unintended external actions using stolen tokens or sensitive request context.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The generator persists detailed trace data and the final generated response to a predictable file under the project directory. Those traces can include user-influenced thought vectors, generation steps, and output text, creating a confidentiality risk if the host is shared, logs are collected, or the file is later read by other components without strict access controls.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The PDCA engine can invoke GoedelEngine to perform code modification during an autonomous cycle, which creates a self-modifying execution path. Even though a confirmation flag exists, the safety model is weak because disabling that flag permits direct edits to project code without strong authorization, scope restriction, or audit controls, which is dangerous in an agent skill that is described as analysis/self-healing oriented.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal