Back to skill

Security audit

NormieClaw Full Stack

Security checks across malware telemetry and agentic risk

Overview

This appears to be a legitimate all-in-one skill bundle, but it needs Review because a single install can enable broad access to sensitive finance, email, calendar, health, memory, shell, network, and database workflows without clear bundle-level scoping.

Install only the specific skills you need instead of the full bundle. Before enabling any skill, review whether it can run shell commands, use web_search/web_fetch, read email or calendar data, process financial or health records, index workspace memory, schedule recurring jobs, or use Supabase service-role credentials. Treat local-only and no-external-call claims cautiously unless network features are disabled or explicitly approved per use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (257)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The bundle manifest declares no permissions, yet the packaged skill set reportedly includes capabilities to read/write files, access environment variables, use the network, and invoke the shell. That mismatch prevents informed consent and creates a significant risk that installing the bundle grants broad execution power far beyond what a user would expect from a top-level catalog file.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The description presents this file as a simple bundle of 34 skills, but the analyzed behavior includes security scanning, code/project scaffolding, system health checks, shell/CLI usage, and interactions with external services. This kind of description-behavior mismatch is dangerous because users may install the package expecting passive content aggregation while actually introducing components that can inspect the workspace, execute commands, and contact third-party services.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill promises 'zero cloud dependency' and that financial data never leaves the machine, but it also documents `web_search` for vendor lookup and exchange rates, which can transmit sensitive merchant or transaction context externally. This creates a privacy and trust gap that may cause users to expose financial data under false assumptions about locality and data handling.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The skill says financial data must never be exposed outside the private session, yet later allows rendering via Playwright and external lookups, which weakens the strong local-only/privacy assurance. Even if Playwright is local, combining it with ambiguous external tooling creates inconsistent security boundaries around highly sensitive financial information.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Using `web_search` to look up vendor names in a personal-finance skill handling bank statements is unnecessary for core functionality and risks leaking merchant identities, spending habits, or contextual transaction details to third parties. Because transaction metadata is highly sensitive, even seemingly small outbound lookups can reveal personal behavior patterns.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The spec presents the dashboard as a local browser-only app, but also requires background script execution and filesystem watching, which a normal browser app cannot safely do without an additional privileged local service or Electron-style runtime. This mismatch can cause developers to bolt on ad hoc local execution or file access mechanisms, expanding the attack surface and undermining the stated trust boundary.

Intent-Code Divergence

Medium
Confidence
83% confidence
Finding
Saying no API server is needed while also requiring live filesystem monitoring is a contradictory design signal that can lead implementers to bypass browser security constraints with unsafe local integrations. In a finance tool handling sensitive records, this ambiguity increases the chance of insecure local services, overbroad file permissions, or hidden background components.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill is framed as passive context management but authorizes broad, automatic persistence of conversation details and preferences in every session. That expands its effective scope into cross-session data collection without clear consent boundaries, creating privacy and data-minimization risks far beyond temporary context preservation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
Archive management, weekly pruning, and promotion into long-term memory extend the skill into general personal knowledge-base maintenance rather than merely preventing session context degradation. This increases the amount and lifetime of retained user data, raising exposure if notes contain sensitive or regulated information.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest promises context-rot prevention, but the implementation performs startup scanning of prior notes and comprehensive end-of-session persistence across sessions. This mismatch can mislead users and reviewers about the true data access and retention behavior, undermining informed consent and increasing the chance of stealthy data accumulation.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The instructions direct the agent to search broadly, including `find /`, to locate template files. For an agent with shell access, scanning the entire root filesystem exceeds the minimum needed scope for dashboard setup, can touch sensitive paths, and normalizes overbroad host inspection that may expose filenames, mounted secrets, or other tenant data in shared environments.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The setup prompt tells the agent to assure the user the Email Assistant is 'set up and secure' even though the procedure only creates local directories, copies files, and checks whether an email CLI exists. It does not validate account configuration, connectivity, authentication method, least-privilege settings, or whether the copied script/config are actually safe, so the claim can mislead users into overtrusting an unverified setup.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The example claims the agent analyzed the user's last 30 sent emails to infer writing style, even though the demonstrated request only asked to draft a reply. This normalizes access to broader mailbox content than necessary and can mislead users into believing the skill may silently inspect unrelated communications without explicit consent.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The specification presents the dashboard as using a local SQLite database for privacy, but later requires Supabase-specific controls such as RLS, Vault, and hosted private storage. This inconsistency can cause implementers to choose an architecture that lacks the stated protections, leading to insecure handling of invoice and client financial data through misunderstanding rather than explicit malicious behavior.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The schema defines `payment_details` as a normal TEXT field in SQLite while the security section says such data must never be stored in plaintext in production. Because this is a full-stack invoice skill handling financial records, developers may copy the schema directly and end up storing bank or tax information unencrypted, exposing highly sensitive data if the database or local files are accessed.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Referencing an external shell script for vault statistics introduces unnecessary execution capability into a knowledge-ingestion skill. Even though the file only names the script, encouraging script execution increases attack surface because compromised workspace files or later-added script contents could be executed with the agent's privileges.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The export script offers to install pandoc via Homebrew during normal document export flow, which expands its privileges and side effects beyond exporting a document. Even though it prompts the user first, package installation changes the host environment and can violate least-privilege expectations for a content-export utility.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The example asserts 'Zero allergen conflicts' while including PB&J for a household where Mom has a tree-nut allergy. Even if PB is intended to mean peanut butter rather than tree nuts, the example is still unsafe because meal-planning systems often need strict allergen handling and cross-contact avoidance; presenting this as conflict-free can normalize unsafe recommendations or encourage incorrect downstream logic. In a meal-planning skill handling household dietary constraints, inaccurate allergen safety claims materially increase risk of harmful meal suggestions.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The setup prompt expands a meeting scheduler into adjacent capabilities like web research, email-thread retrieval, task creation, and drafting follow-up emails, which materially broadens the data access and action scope beyond scheduling alone. This is dangerous because users may consent to calendar setup without realizing the skill also enables ongoing access to communications and automated downstream actions.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Prompting for web searches about attendees and retrieval of recent email threads introduces broader surveillance and data collection than is necessary to configure a scheduler. In context, this creates privacy and overreach risk because sensitive relationship, company, and correspondence data may be accessed under the guise of basic meeting setup.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Task synchronization and automated follow-up email drafting exceed the core function of scheduling and can trigger downstream actions in other systems or communications channels. Without strong consent and scope boundaries, the skill may create records or draft content the user did not expect from a scheduler, increasing operational and privacy risk.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The setup script automatically detects other installed skills and modifies this skill's configuration to enable cross-skill integrations involving contact history and task syncing. Even though this appears intended as a convenience feature, it expands the data-sharing scope beyond basic meeting scheduling and can lead to unexpected access to personal or organizational data once the skill runs.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
The header comments state the script only validates prerequisites and initializes configuration, but it also changes file permissions and silently enables optional integrations. This mismatch reduces transparency and can mislead users or reviewers about the script's real behavior, making security-impacting side effects easier to hide or overlook.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill grants `exec` for export scripts, file operations, and permission setting, which materially exceeds what a note-taking workflow needs for normal operation. Even though the prompt includes some path constraints, shell execution greatly increases the blast radius if prompt injection, tool misuse, or script tampering occurs, enabling arbitrary local commands rather than bounded note storage/export actions.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The skill explicitly allows pushing note content into long-term agent memory, which expands data retention and access beyond the user's apparent expectation of local note capture/search. This creates a privacy and scope-expansion risk because sensitive notes, preferences, or decisions may persist across sessions or contexts and become available to other agent behaviors not covered by the local note-store model.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.destructive_delete_command, suspicious.prompt_injection_instructions

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
writing-coach-pro/SECURITY.md:37

Documentation contains a destructive delete command without an explicit confirmation gate.

Warn
Code
suspicious.destructive_delete_command
Location
writing-coach-pro/SETUP-PROMPT.md:90

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
budget-buddy-pro/SKILL.md:20

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
content-creator-pro/SKILL.md:19

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
daily-briefing/SKILL.md:18

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
dashboard-builder/SETUP-PROMPT.md:8

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
dashboard-builder/SKILL.md:22

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docuscan/SECURITY.md:30

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
docuscan/SKILL.md:7

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
email-assistant/SECURITY.md:14

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
email-assistant/SKILL.md:19

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
expense-report-pro/SKILL.md:45

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
health-buddy-pro/SKILL.md:35

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
hireme-pro/SECURITY.md:62

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
hireme-pro/SKILL.md:20

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
invoicegen/SKILL.md:4

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
knowledge-vault/SKILL.md:18

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
meal-planner-pro/SKILL.md:16

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
notetaker-pro/SECURITY.md:25

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
notetaker-pro/SKILL.md:19

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
party-planner-pro/SKILL.md:20

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
relationship-buddy/SKILL.md:26

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
security-team/SKILL.md:18

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
stock-watcher-pro/SKILL.md:20

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
supercharged-memory/SKILL.md:18

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
trainer-buddy-pro/SKILL.md:20

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
travel-planner-pro/SKILL.md:18

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
tutor-buddy-pro/SKILL.md:28