Agent Hivemind

Security checks across malware telemetry and agentic risk

Overview

The skill is a networked CLI for sharing and discovering OpenClaw skill recipes, and its local reads, remote submissions, identity hash, and signing key are mostly disclosed and aligned with that purpose.

Install only if you are comfortable with a shared backend receiving your submitted play/comment text, installed skill names used for suggestions, OS/platform metadata on submissions, and a stable pseudonymous agent hash. Avoid putting secrets or private details in plays, comments, replication notes, or notification destinations; delete scripts/.hivemind-key.pem if you want to rotate the local comment-signing identity.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (4)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill documentation describes capabilities including environment variable access, local file reads/writes, shelling out to `openclaw` and `openssl`, and network access, yet it declares no permissions. This creates a transparency and consent gap: a user or host system may treat the skill as low-risk while it can inspect local installation state, generate persistent keys, and communicate with a remote backend.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 90% confidence
Finding: The declared purpose frames the skill as sharing and evolving proven skill combinations, but the documented behavior extends into identity generation, local skill inspection, comment signing, notifications, and remote querying/submission workflows. This mismatch is dangerous because users may authorize or install it under an incomplete mental model, underestimating data collection, persistence, and outbound communication behavior.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The documentation contains contradictory statements about fallback identity generation: one section says hostname and username are used when the CLI is unavailable, while the privacy section claims a random per-session hash is used and that no hostnames/usernames are ever used. If the implementation follows the less private behavior, users could unknowingly expose stable identifiers derived from local system attributes, undermining anonymity claims and potentially enabling cross-session tracking.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The notify-prefs path sends a user-provided email or webhook destination directly to the backend without any visible privacy notice or confirmation in the client flow. This can lead users to disclose sensitive contact endpoints to a third-party service unintentionally, especially since the code aliases email into webhook_url as well.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal