ClawHub

Wip Ldm Os Private

Security checks across malware telemetry and agentic risk

Overview

The skill is a real LDM OS installer, but it also makes broad persistent changes to AI tooling, credentials, hooks, MCP access, and background behavior that users should review carefully before installing.

Install only if you want LDM OS to manage your local AI environment broadly, not just add one CLI. Review the dry run, expect changes under ~/.ldm, ~/.claude, and ~/.openclaw, and be cautious if you use 1Password service-account tokens because this version can persist OP_SERVICE_ACCOUNT_TOKEN into your shell profile. Avoid enabling it on sensitive machines until you are comfortable with the hooks, MCP registrations, OpenClaw allowlist changes, and background message-wake behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (149)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes shell commands, uses npm to install packages, and queries remote release data, but it does not declare permissions corresponding to shell, network, or environment access. This creates a transparency and trust problem: users and host platforms cannot accurately reason about what the skill is allowed to do before execution, increasing the risk of unintended command execution or remote package retrieval.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a narrow installer/updater/status helper, but the described underlying behavior spans broad system modification, configuration editing, extension management, messaging, MCP serving, token storage, and execution of other skill scripts. This mismatch is dangerous because users may authorize a seemingly simple install/status workflow without understanding that it can alter multiple user directories, persistence mechanisms, configs, and connected tooling across the system.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file is not an installer/updater/status skill implementation at all; it is a long-form product planning and execution document containing operational instructions, deployment details, file paths, commit hashes, and follow-up actions across multiple repos. That mismatch is dangerous because an agent selected by manifest metadata could ingest and act on unrelated high-impact instructions, creating a prompt/skill confusion path where planning text is treated as executable workflow.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The document claims the task is limited to a single file and no code changes, but later includes instructions to create additional files outside that scope. In an agent skill, contradictory scope statements are risky because they can nudge an agent into making broader repository modifications than the user intended, weakening containment and review expectations.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This handoff directs the agent to publish an npm package and create GitHub releases, which is far outside the stated scope of an LDM OS installer/updater skill. Giving a skill unrelated software release authority increases the chance of unauthorized code publication, supply-chain impact, and repository modification if the skill is invoked in the wrong context or by crafted prompts.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The file contains full end-to-end release instructions including branch creation, commits, PR creation and merge, npm publication, GitHub release creation, and public deployment sync. In the context of an LDM OS installer/updater skill, these capabilities are dangerously over-privileged and could enable a compromised or mis-triggered agent to ship code to package registries and repositories, creating a direct software supply-chain risk.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The document proposes adding cross-agent memory synchronization and search capabilities that are unrelated to the stated purpose of the wip-ldm-os skill as an installer/updater. This expands the skill's effective data access scope to aggregate agent-local memories, creating a privacy and data-governance risk if deployed under a tool users expect to perform system install/update tasks only.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The planned hook scans local memory files and uploads their contents into a shared searchable system, which can expose sensitive user, project, and agent state beyond the original local context. In the context of an OS installer/updater skill, this is unjustified data exfiltration and materially increases the blast radius of any sensitive content stored in those files.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The plan weakens file-guard protections for paths under ~/.claude so the harness can more freely modify memory files. Relaxing safeguards on user-home state under a skill that should only install or update software increases the chance of unintended or abusive modification of local agent state and undermines defense-in-depth.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The document explicitly describes adding `export OP_SERVICE_ACCOUNT_TOKEN=$(cat ~/.openclaw/secrets/op-sa-token)` to `~/.zshrc`, which broadens the exposure of a sensitive credential from a single scoped process to every future interactive shell and child process. Persisting secrets in shell startup files increases the chance of accidental leakage through environment dumps, subprocess inheritance, logs, debugging tools, or unrelated tooling running in that shell.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
This document explicitly proposes routing paid third-party API usage through a first-party CLI to avoid billing controls, which is a policy-evasion and cost-circumvention technique unrelated to the stated LDM OS installer/updater purpose. Even though the note says not to pursue it now, the file preserves a ready-to-execute operational plan that could be reused later, making the skill more dangerous by embedding abusive guidance.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The content is materially out of scope for an LDM OS installer/updater skill and instead contains detailed operational instructions for OpenClaw authentication, subprocess routing, billing strategy, testing, and deployment. This scope drift increases the chance the skill will be invoked to perform unauthorized platform manipulation or provider-policy work unrelated to its declared function.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This file defines a broad agent-to-agent messaging, pairing, relay, push, approval, wallet, and cloud-sync architecture that is materially outside the stated purpose of an LDM OS installer/updater skill. In a skill context, documenting or enabling unrelated high-privilege capabilities increases the chance of scope creep, unauthorized data movement, and hidden command-and-control style behavior across devices and agents.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Wallet and Agent Pay capabilities are unrelated to installing or updating LDM OS and represent financially sensitive functionality. Including them in the context of an installer skill expands the trust boundary unnecessarily and could enable unauthorized spending flows or token exposure if the skill is invoked under the assumption it only performs OS maintenance.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Memory Crystal cloud sync is outside the declared installer/updater purpose and introduces unnecessary data exfiltration and persistence risk. Reusing a single device token for sync and other services compounds the issue by broadening the blast radius if that token is accessed or misused.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The document acknowledges a serious mismatch between the marketed privacy properties and the actual deployed behavior: the relay can currently read prompts, outputs, reasoning, and errors. That creates a real confidentiality risk if users rely on the stated privacy claims and send sensitive data through the system before end-to-end encryption is actually enforced.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The plan promises control of the same live session while also documenting that persisted sessions cannot actually be attached and a different thread may be created instead. This is dangerous because users may act under false assumptions about continuity, causing commands or prompts to run in the wrong context and potentially exposing or modifying unintended data.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The decision section states an absolute trust-boundary guarantee ('The relay never reads payload content') that contradicts earlier sections describing the current relay as able to inspect plaintext WebSocket frames. Security documentation contradictions like this can directly mislead implementers, reviewers, and users into unsafe deployment decisions.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This plan expands the LDM OS installer/updater beyond installation and update functions into deployment and scheduling of an organization-wide summarization pipeline. That creates unauthorized capability growth in a privileged component, increasing the chance that an install/update path becomes a vehicle for persistent data collection, scheduled execution, and broad workspace modification unrelated to the skill's stated purpose.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The planned workflow gives the installer-linked ecosystem access to organization-wide crystal searches across all agents and git-log aggregation across repos, which is far broader than necessary for an OS installer/updater. This broad collection and consolidation of cross-agent conversations, decisions, and development activity can expose sensitive internal information and creates a strong data-exfiltration and surveillance surface if misused or compromised.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This is a real scope-drift issue. The skill metadata says it should install, update, or check status of LDM OS, but the documented behavior expands into repo privatization, GitHub administration, release orchestration, and docs publishing. In an agent context, that mismatch is dangerous because a user invoking an installer/updater skill could trigger broad repository and publication side effects they did not authorize or expect.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
This section authorizes the installer to create git repos, initialize them, make commits, push to remotes, and manage harness directories. Those are powerful persistent side effects unrelated to a normal install/update/status workflow and can alter user state, create externally visible artifacts, and leak configuration into repositories if misused. The danger is amplified because these actions affect home-directory and harness state that users may assume is local-only.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The planned `wip-privatize` workflow performs a chain of sensitive actions: renaming GitHub repos, changing remotes, renaming local directories, creating new public mirrors, scaffolding files, and committing changes. Even if intended for legitimate migration, this is a high-risk administrative workflow that should not be bundled into an installer-focused skill because it can irreversibly alter repository topology and publication state. If triggered incorrectly, it could expose code publicly, break remotes, or mutate production repos.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
This is a genuine manifest-to-content mismatch. The file explicitly positions itself as infrastructure for templates, docs, releases, privatization, and onboarding, which conflicts with the much narrower installer/updater skill description. Such mismatch weakens user consent and tool governance because reviewers and users cannot rely on the manifest to understand the real authority of the skill.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The plan materially expands the skill from an LDM OS installer/status checker into an ecosystem orchestrator that installs, wires, and cross-promotes multiple other products across interfaces. That scope creep increases the blast radius of any invocation, because a user asking for one product may trigger deployment logic for unrelated components and integrations they did not explicitly request.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal