ClawHub

synapse

Security checks across malware telemetry and agentic risk

Overview

This skill appears purpose-built for P2P file and memory sharing, but it needs Review because it can expose sensitive data and runs a persistent seeder with weak local controls.

Install only if you intend to participate in a public or semi-public P2P sharing network. Do not share secrets, proprietary files, regulated data, or private agent memory unless you have reviewed exactly what will be published. Treat downloaded shards as untrusted, avoid using skip_safety_check, prefer private HTTPS trackers, and be aware that the background seeder and its local control socket need hardening before use on shared systems.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The module claims to perform local embedding computation, but it implicitly fetches model and tokenizer artifacts from a remote repository at runtime. This creates a supply-chain and privacy risk because users may believe processing is fully local and offline when the code can initiate network access and ingest unpinned external artifacts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Using trust_remote_code=True allows model repository code to be executed during tokenizer/model loading, which is far broader than needed for embedding generation. If the upstream repository is compromised or replaced, this can lead to arbitrary code execution on the host during normal application startup.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The PyTorch fallback repeats the same dangerous pattern by enabling remote repository code execution through SentenceTransformer loading. This means even environments without ONNX dependencies still retain an arbitrary-code-execution path tied to external model artifacts.

Context-Inappropriate Capability

High
Confidence
79% confidence
Finding
The identity setup command adds external code-execution capability by launching a separate Python script. Even though the target script path is local and fixed, invoking external code increases attack surface and can be abused if the package directory or setup script is tampered with, or if callers can trigger this unexpectedly.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tracker announcement code reads file content, derives an embedding from that content, and transmits it together with creator identity metadata to remote trackers. Even if intended for semantic search, this is still external disclosure of content-derived and identity-linked information, which can leak sensitive file semantics to third parties without clear consent or minimization.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The placeholder download helper marks a session as complete and seeding without downloading, verifying, or writing any file to disk. This breaks integrity guarantees and can cause higher-level components to treat nonexistent or unverified content as trusted, enabling logic abuse, data corruption, or downstream unsafe processing.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The module claims reputation is based on cryptographically signed attestations, but submit_attestation only checks whether a signature field exists and never validates it. Because verification can also be disabled, an attacker can submit forged attestations to inflate or damage an agent's reputation, undermining all trust decisions derived from this data.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The code trusts a PID read from a file in the user's home directory and may send SIGTERM to that process if shutdown checks fail. If that PID file is stale, corrupted, or tampered with, the client can terminate an unrelated local process, creating a host-impacting denial-of-service primitive.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The daemon creates a Unix domain socket in /tmp and then sets its permissions to 0o666, allowing any local user or process to connect and issue privileged control commands such as add_shard, remove_shard, list_shards, and shutdown. In the context of a persistent BitTorrent seeder, this enables unauthorized local manipulation of shared files, information disclosure of seeded file paths and magnet URIs, and trivial denial of service by shutting the daemon down.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The heartbeat routine specifies automatic pruning of completed downloads older than 7 days, but there is no indication of explicit user consent, warning, retention policy visibility, or safeguards to ensure only non-user-owned cache data is deleted. In a P2P file-sharing skill handling 'memory shards,' ambiguous deletion behavior can cause unintended loss of user data or evidence, especially if downloaded content is intermixed with user-managed files.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
Automatically posting magnet links to a community tracker exposes participation in the P2P network and may reveal metadata about shared knowledge domains, local activity, or organizational interests without an explicit privacy disclosure. In this skill's context, agent-to-agent semantic file sharing increases sensitivity because published magnet links can broaden discoverability of content and create network attribution, compliance, or data leakage risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly advertises automatic tracker registration, semantic indexing, and a background seeder daemon, but does not warn users that sharing content may expose file metadata, embeddings derived from content, network identifiers, and persistent seeding behavior to external peers and the central tracker. In a P2P file-sharing skill, omission of these privacy and exposure implications can lead users to unintentionally publish sensitive data or remain available on the network longer than expected.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
A P2P file-sharing skill inherently exposes metadata such as shared file identifiers, network addresses, tracker interactions, and potentially search queries, yet the description does not warn users about that exposure. In this context, omission is dangerous because users may share or search for sensitive material without realizing that metadata is visible to peers and external infrastructure.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installation step pipes a remotely fetched script directly into a shell without any warning, pinning, checksum verification, or trust disclosure. If the hosting domain, transport path, or script content is compromised, users may immediately execute attacker-controlled code on their system.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The usage examples encourage sharing arbitrary local files and downloading content from a P2P network, but they omit warnings about accidental disclosure of sensitive files and retrieval of untrusted content. In this skill's context, that omission is significant because the core feature set directly moves data between untrusted peers and external trackers.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The manifest defines powerful actions such as exporting a vector database, downloading from a P2P network, and assimilating external memory using broad descriptions without clear guardrails, approval requirements, or prohibited-use conditions. In an agent setting, vague tool semantics can cause unsafe invocation, overbroad data access, or unintended trust in remote content because the agent is not warned about when these operations are inappropriate.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill explicitly supports exporting portions of the agent's vector database and generating magnet links for distribution, but provides no privacy warning or disclosure control in the manifest. Because vector databases may contain sensitive internal memory, proprietary data, or user-derived content, this can directly enable unintended exfiltration and broad peer-to-peer dissemination.

Missing User Warnings

High
Confidence
97% confidence
Finding
The manifest allows downloading arbitrary memory shards from a P2P network and assimilating them into the agent's active memory, including a flag to skip safety checks. In this skill context, untrusted external memory can poison the agent's knowledge base, alter future behavior, and introduce malicious or misleading content into active decision-making.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The code performs remote model/tokenizer downloads and writes persistent cache data without explicit user-facing disclosure or consent. In a P2P file-sharing skill, hidden network activity and silent local persistence increase operational and privacy risk because users may not expect external fetches or retained artifacts on disk.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The example downloads a shard from a P2P source and then assimilates it into a local agent memory database, which modifies persistent local state. Although the code performs compatibility and safety checks, it does not present an explicit user-facing warning or require confirmation before writing untrusted downloaded content into local memory, which can normalize risky behavior and lead to accidental ingestion of malicious or poisoned data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The OpenSSL fallback writes private key material to a named temporary file on disk before signing. Even though the file is later deleted, sensitive key material may be exposed through permissive default temp-file locations, backup/forensic recovery, host compromise, or race/access issues on multi-user systems, which is especially serious for long-term identity keys.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The share flow reads up to 8000 characters of the local file and transmits a derived embedding plus metadata such as file size, display name, tags, and potentially identity fields to a remote tracker without an explicit consent step. Embeddings can leak semantic information about private content, and the metadata further aids correlation and identification.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The search command sends a query-derived embedding to a remote tracker by default, which exposes semantic information about the user's search intent without strong disclosure in the command behavior itself. Because the default tracker uses plain HTTP, the request is also vulnerable to interception or tampering in transit.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code transmits file-derived embeddings and creator metadata to trackers over network requests with no explicit user-facing notice or consent mechanism. In this skill context, semantic search does not eliminate the privacy risk, because embeddings can still reveal sensitive properties of file contents and link them to identities.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal