ClawHub

Keep Protocol

Security checks across malware telemetry and agentic risk

Overview

The skill is a coherent agent-messaging tool, but it needs review because an MCP tool can pull/install and run server software, remove Docker containers on the target port, and leave a local service running without a separate approval step.

Install only if you intentionally want agents to communicate through a keep server. Pin package, image, or Go module versions before use; do not let an agent call keep_ensure_server unless you are comfortable with Docker/Go running code locally; keep the service bound to trusted local networks; monitor and stop the container or background process when finished; and do not send secrets or unreviewed memory through agent messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (19)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
)

                # Start new container
                result = subprocess.run(
                    [
                        "docker", "run", "-d",
                        "--name", f"keep-server-{port}",
Confidence
94% confidence
Finding
result = subprocess.run( [ "docker", "run", "-d", "--name", f"keep-server-{port}", "-p", f"{

subprocess module call

Medium
Category
Dangerous Code Execution
Content
logger.info("Trying Go fallback...")
            try:
                # Install the server binary
                result = subprocess.run(
                    ["go", "install", "github.com/clcrawford-dev/keep-server@latest"],
                    capture_output=True,
                    text=True,
Confidence
95% confidence
Finding
result = subprocess.run( ["go", "install", "github.com/clcrawford-dev/keep-server@latest"], capture_output=True, text=True,

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# Remove existing containers on this port
                for container_id in existing_containers:
                    subprocess.run(
                        ["docker", "rm", "-f", container_id],
                        capture_output=True,
                        timeout=10,
Confidence
91% confidence
Finding
subprocess.run( ["docker", "rm", "-f", container_id], capture_output=True, timeout=10, )

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if go_bin:
                        # Start server in background
                        subprocess.Popen(
                            [str(go_bin)],
                            stdout=subprocess.DEVNULL,
                            stderr=subprocess.DEVNULL,
Confidence
95% confidence
Finding
subprocess.Popen( [str(go_bin)], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL,

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill advertises and enables capabilities that can execute shell commands, read/write files, and consume environment variables, yet it declares no permissions. This creates a trust-boundary failure: an invoking agent or reviewer cannot accurately assess what local-side effects may occur, increasing the chance of unauthorized command execution, persistence, or data access.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose is lightweight agent communication, but the behavior reportedly includes auto-starting infrastructure, running subprocesses, managing Docker containers, installing software, and writing to persistent files. This mismatch is dangerous because consumers may invoke the skill expecting only messaging, while it can modify the host environment and launch services, materially expanding the attack surface and enabling unintended system changes.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Any client that can produce a valid self-signed packet can query discover:agents and discover:stats, revealing connected agent identities, uptime, packet volume, and per-source scar activity. Because identity is bound only to a packet-supplied public key and src string, there is no authorization layer restricting who may enumerate the network, making reconnaissance and traffic analysis easier.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
A messaging client should not automatically install and launch server software as part of normal operation. This materially enlarges the trust boundary from packet transport to host software management, creating code execution and supply-chain exposure on the user's machine.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Invoking Docker, Go, and subprocess-based process execution is not inherently required for agent-to-agent messaging and significantly increases local-system attack surface. In this skill context, the hidden ability to manipulate containers and launch binaries makes the package more dangerous than its stated purpose suggests.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The MCP tool exposes a capability to start external server software, including pulling/running Docker images or installing/running Go code, which goes beyond a normal messaging interface and introduces supply-chain and arbitrary system modification risk. In an agent tool context, this is especially dangerous because a model or upstream prompt can invoke it without meaningful user confirmation, causing unreviewed software execution on the host.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The skill exposes agent discovery and direct messaging features without clearly warning that these operations reveal connected identities and enable cross-agent communication. In multi-agent environments, that can leak topology, operational metadata, or facilitate unsolicited coordination and data sharing, especially given the memory-sharing and routing features described.

Missing User Warnings

Low
Confidence
86% confidence
Finding
The document explicitly reveals the local path where ClawHub authentication tokens are stored, but does so without any warning that the file contains sensitive credentials. In an agent-facing skill, this increases the chance an automated system or inattentive user may read, copy, or expose the token-bearing file during troubleshooting or logging.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The plan explicitly proposes auto-starting a server via Docker or `go install` when port 9009 is closed, but does not mention any user consent, trust boundary, or verification steps. In an agent/tooling context, silently installing or launching software can lead to unexpected code execution, supply-chain exposure, and privilege or persistence concerns on the host.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The planned `client.discover()` includes optional LAN scanning of private address ranges without describing notice, consent, rate limits, or scope controls. Network probing can violate user expectations, trigger IDS/EDR alerts, and create security or policy issues in enterprise environments even if intended for local swarm discovery.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation shows a headless login command that passes a token directly on the command line, which commonly exposes secrets through shell history, process listings, terminal logging, and CI logs. In a release workflow document, users are likely to copy-paste this exact pattern, increasing the chance of credential leakage for a registry-publishing token.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The MCP handlers expose network-capable primitives that transmit arbitrary agent-supplied message content to a local or configured keep-protocol server with no user consent, disclosure, or policy checks in the adapter itself. In an agent/tooling context, this can enable silent exfiltration of prompts, memory, or other sensitive data to other agents or infrastructure, especially because the functions are thin wrappers around send/listen/discover operations and return remote content directly.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The server logs packet bodies received over the network, which may include prompts, credentials, tokens, memory contents, or other sensitive agent-to-agent data. In this skill context, the protocol is explicitly for AI agent communication and 'memory sharing', so logging raw bodies can create unintended data exposure through log files, centralized log collectors, or support tooling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The bootstrap path performs destructive Docker removal and starts containers/processes without any user-facing confirmation. In an agent skill, silent host modification is especially risky because users may expect a communication library, not software deployment and service orchestration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The tool can initiate Docker- or Go-based server setup with no user-facing warning, confirmation, or policy check, allowing an agent to cross a boundary from communication into local software deployment. In practice, this increases the chance of silent privilege use, unexpected network exposure, and execution of unreviewed code or images triggered by prompts rather than deliberate operator action.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal