GBrain

Security checks across malware telemetry and agentic risk

Overview

GBrain appears to be a real personal knowledge-brain package, but it needs Review because it grants broad personal-data, mutation, code-execution, background-job, and model-routing authority with several under-scoped or unsafe instructions.

Install only if you are comfortable giving this package and its agent broad access to your personal knowledge base and any connected email, calendar, meeting, voice, social, database, and cloud-storage accounts. Before enabling integrations, narrow OAuth/credential scopes where possible, review any cron/autopilot/background jobs, disable silent refusal-routing behavior, require confirmation before git push or signed-URL sharing, and avoid connecting sensitive work accounts until you have inspected the configured tasks and storage destinations.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (139)

Intent-Code Divergence

Low

Confidence: 89% confidence
Finding: The skill promises that attendee email addresses are excluded from output, but later instructs implementers to derive names from email prefixes when display names are missing. Even if the full address is not written, exposing the local-part can still reveal personal identifiers and contradicts the documented privacy expectation, increasing the risk of unintended disclosure in stored calendar notes.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The recipe explicitly instructs creation of an overly broad ClawVisor task purpose ('full executive assistant access' and 'be EXPANSIVE'), which weakens least-privilege boundaries and normalizes wider-than-needed access. In a credential setup skill, this makes downstream misuse easier because the gateway is pre-authorized for broad historical and multi-service data access beyond minimal setup needs.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The instructions tell the user to create a standing task with a purpose broad enough to allow 'full executive assistant email management,' which materially exceeds the stated email-to-brain collection/enrichment use case. This weakens least-privilege boundaries at the credential gateway and could authorize unrelated mailbox operations such as broad searching, thread management, or other sensitive actions if the gateway relies on task-purpose scoping for enforcement.

Intent-Code Divergence

Medium

Confidence: 89% confidence
Finding: The setup text claims the app only needs gmail.readonly, but later behavior includes querying sent mail and broader mailbox collection on a recurring basis. Even if sent-mail reads can technically fit within readonly, the documentation understates the breadth and persistence of access, which can mislead users during consent and undermine informed authorization.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The recipe states that attendee filtering should remove email addresses, but the documented meeting page structure still stores attendee emails in frontmatter. This creates an unnecessary retention of personal data and increases the risk of exposing attendee identities if the brain repository is searched, synced, or later pushed to a remote. The contradiction also makes privacy-preserving implementations less likely.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill's core purpose is importing meeting transcripts into local brain pages, yet it also describes automatic git commit and push of the repository containing those transcripts. That materially broadens data exposure from local processing to external publication or replication, which is especially dangerous because meeting transcripts often contain confidential business and personal information. The mismatch between stated purpose and data egress makes the behavior higher risk.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The documented auto-commit and git push are not necessary to perform meeting synchronization, but they can transmit newly imported transcripts and derived notes to a remote repository. Because the content includes transcripts, attendee identities, action items, and cross-linked entity pages, this can leak sensitive information outside the local environment with no meaningful minimization. Unjustified outbound publication is a real security and privacy risk.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The watchdog for an ngrok tunnel also mutates Twilio configuration by posting a new VoiceUrl with stored Twilio credentials. That behavior expands the skill's scope from local tunnel management into external account administration, which increases risk because a compromise, misconfiguration, or unexpected restart can silently alter telephony routing.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The recipe states that unauthenticated callers should never receive write tools, but later guidance encourages real-time logging and message posting during calls. That creates an authorization ambiguity where a caller may be able to trigger writes to the brain or external messaging before identity is established, leading to unauthorized data creation or exfiltration.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: This documentation expands a generic brain-writing rule set into operational guidance for uploading raw files to cloud storage and generating signed URLs, which introduces data exfiltration and access-scope risk beyond simple filing behavior. Because the skill provides concrete commands and storage pointer formats without stating authorization boundaries, retention limits, or access controls, an agent could treat these actions as implicitly approved and handle sensitive material unsafely.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The skill explicitly brands itself as read-only, but later includes instructions for handling page creation or updates during briefing generation. That inconsistency can cause an agent or operator to perform state-changing actions under a read-only trust assumption, which is dangerous in a knowledge-management system because it may lead to unauthorized or unintended modifications. The context makes this more concerning because the skill is designed to aggregate broad personal and deal context, so accidental writes could corrupt sensitive records at scale.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: The documentation instructs the skill to use `get_health`, but that capability is missing from the declared tool manifest. This creates a specification mismatch: agents may attempt undeclared operations, fail unpredictably, or infer/route to tools outside the allowed interface, weakening control boundaries and making behavior less auditable. In this skill's context, the impact is limited because it is primarily read-only and the missing tool is for health/status checks, but the inconsistency still increases operational and security risk.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The configuration explicitly directs the system to suppress refusals and silently route the request to alternative models. This defeats user-visible safety boundaries and can turn one model's refusal into a multi-model safety bypass, especially if downstream models have weaker safeguards or different policies.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill explicitly instructs agents to conceal refusals and silently switch models when a request is rejected. This undermines transparency and safety controls by encouraging the system to route around model safeguards instead of surfacing limitations to the user, which can enable policy evasion and unreviewed unsafe outputs.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The frontmatter advertises a narrower tool set than the body actually instructs the agent to use, including capabilities like list_pages, put_raw_data, and get_raw_data. This mismatch weakens operator review and policy enforcement because hidden or undocumented capabilities can be invoked without clear approval, increasing the chance of unauthorized persistence or data handling.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The skill documents use of capabilities such as get_tags, add_tag, put_raw_data, and get_backlinks that are not declared in the manifest tool list. This creates a dangerous mismatch between declared and expected permissions: operators and reviewers may believe the skill has a narrower capability set than its instructions assume, undermining least-privilege review and enabling accidental over-granting or unsafe fallback behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to run broad shell-level `gbrain` maintenance commands such as extraction, autopilot installation, and other repo-wide operations that are outside the declared tool interface. This expands execution from scoped knowledge-maintenance actions into host/system-side command execution, creating risk of unauthorized state changes, persistence, or misuse of local resources without explicit user consent.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly recommends running embedding refresh as a background process using `nohup` and shell redirection. That introduces persistence beyond the current session and can consume significant CPU, memory, disk, or API budget while evading normal interactive oversight.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill directs the agent to run administrative commands affecting security posture, schema, migrations, and file storage integrity, including re-running initialization. These actions exceed ordinary content maintenance and could alter database configuration, trigger migrations, or modify storage state in ways that are hard to validate or recover from automatically.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The documentation claims use of tools such as `remove_link`, `add_tag`, `remove_tag`, and `get_timeline` that are not declared in the manifest. This mismatch can cause the runtime or an operator to infer capabilities the skill should not have, undermining trust boundaries and enabling unsafe implementation drift.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The skill states it 'NEVER ships pre-filled content,' but later describes installing template files and auto-populating user data from git config. This inconsistency can mislead users and downstream agents about what data is written, creating a privacy and consent risk when personal information is inserted into local files unexpectedly.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The command advertises upload verification, but it only checks whether database fields like content_hash and storage_path are populated; it does not validate that the remote object exists or that its contents match the recorded hash or local file. This can create a false sense of integrity, causing operators to trust backups or migrations that are actually incomplete or corrupted, which is especially risky because nearby commands delete local originals after cloud migration.

Context-Inappropriate Capability

Medium

Confidence: 83% confidence
Finding: The init command executes an external binary from a user-writable home-directory path (`~/.claude/skills/gstack/bin/gstack-global-discover`) during status detection. If that path is replaced or tampered with, running `init` will execute attacker-controlled code, which expands the attack surface beyond normal initialization behavior.

Context-Inappropriate Capability

Medium

Confidence: 79% confidence
Finding: `installDefaultTemplates(workspaceDir)` writes multiple files into an arbitrary caller-supplied directory without any path restriction or trust boundary checks. If an attacker can influence `workspaceDir`, this can overwrite or plant files in unintended locations, potentially modifying agent behavior or persistence-related workspace content.

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The schema comment states RLS is enabled on all tables, but the code only enables it for a subset and omits the remote-access tables `access_tokens` and `mcp_request_log`. If these tables are exposed through a role with broader defaults or future grants, sensitive token metadata and request logs may be readable or modifiable without the intended row-level protections, creating an authorization gap around remote access controls.

VirusTotal

65/65 vendors flagged this plugin as clean.

View on VirusTotal