ClawHub

Cerebrun

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate Cerebrun client, but it gives agents broad access to sensitive personal memory, stored keys, vault-related data, and conversation history without enough user-control guidance.

Install only if you trust Cerebrun with personal context, stored knowledge, and LLM conversation history. Configure the API key deliberately, avoid broad agent access to Layer 2, Layer 3, or prior conversations, and require explicit confirmation before retrieving stored keys, identity data, vault fields, or sending sensitive prompts through the LLM gateway.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill advertises and demonstrates network access and use of environment-provided secrets (`$API_KEY` / `CEREBRUN_API_KEY`) but does not declare permissions or security boundaries. In an agent setting, this can cause implicit secret access and outbound transmission without clear authorization, reducing transparency and weakening policy enforcement.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is designed to access highly sensitive context, including personal identity information, API keys, and an encrypted vault, yet the documentation provides no strong warning, consent flow, or data handling constraints. Because this skill centers on persistent personal memory, the context makes the issue more dangerous: misuse could expose a user's most sensitive stored information to the agent or remote service.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The reference documents `update_context` as a write-capable operation but does not clearly warn that it permanently modifies stored user context. In an agent setting, this omission can cause accidental integrity violations such as overwriting preferences, projects, goals, or identity-related data without the user understanding the persistence and scope of the change.

Missing User Warnings

High
Confidence
97% confidence
Finding
The `chat_with_llm` reference omits that user prompts are transmitted to an external provider, which creates a significant privacy and data-governance risk. Because this skill also exposes personal context, knowledge base contents, and conversation history, an agent could forward sensitive data to third-party models without the user realizing the boundary crossing.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This client is explicitly designed to send user context, conversation history, knowledge-base content, and other potentially sensitive personal data to the remote cereb.run MCP endpoint, but the code provides no user-facing warning, consent gate, redaction, or data-minimization control before transmission. In a personal memory/context management skill, this is especially sensitive because the exposed data can include identity details, project information, vault access requests, and LLM conversation history.

External Transmission

Medium
Category
Data Exfiltration
Content
## Usage

### Get Context
curl -X POST \
  -H "Authorization: Bearer $API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_context","arguments":{"layer":0}}}' \
Confidence
91% confidence
Finding
curl -X POST \ -H "Authorization: Bearer $API_KEY" \ -H "Content-Type: application/json" \ -d '{"jsonrpc":"2.0","id":1,"method":"tools/call","params":{"name":"get_context","arguments":{"layer":0

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal