ClawHub

Hivemind

Security checks across malware telemetry and agentic risk

Overview

Hivemind is mostly a disclosed cloud shared-memory plugin, but it also automatically mines chats into persistent skills using powerful local agent subprocesses without enough clear user control.

Review before installing. Use this only if you are comfortable with full chat turns being uploaded to Deeplake and visible according to your org/workspace setup. Avoid secrets and regulated data unless your Deeplake controls allow it. Also account for the automatic skill-mining behavior: it can spawn local agent CLIs in powerful modes and write persistent skills, so audit generated skills and consider disabling auto-capture or not installing in high-sensitivity environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
This code persistently edits the user's Openclaw configuration to add the hivemind plugin/tool to allowlists and to toggle its auto-update behavior. Modifying security-relevant configuration on disk without clear user approval expands the plugin's effective permissions and can weaken the user's intended trust boundaries, especially because no skill purpose or consent flow is shown here.

Intent-Code Divergence

Low
Confidence
82% confidence
Finding
The logic for plugins.allow only checks for the literal string 'hivemind', while related allowlist logic elsewhere recognizes indirect coverage such as groups or tool names. This inconsistency can cause unnecessary persistent config changes, which is risky because it alters a user's security configuration beyond what is actually needed and may mask intent behind the modification.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The plugin markets itself primarily as shared memory, but the code also persists conversations and launches a detached background skill-mining worker that derives reusable skills from session data. That is a material expansion of data processing and execution behavior beyond the apparent feature boundary, which increases privacy risk and surprise for users and can result in sensitive prompts being repurposed into reusable artifacts.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The embedded prompt text says Openclaw does not run sessions to mine skills, but the agent_end hook later calls spawnOpenclawSkillifyWorker after captured sessions. This discrepancy is dangerous because operators and users may rely on the documentation to assess data handling, while the actual code performs additional background processing on conversation content.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The worker tells the gate agent to only emit a verdict, but then launches external agent CLIs with bypass/sandbox-disabling flags such as "bypassPermissions", "--dangerously-bypass-approvals-and-sandbox", and "--yolo". Because the prompt content is derived from prior session data and existing skills, potentially adversarial text can influence a fully empowered agent process, creating a prompt-injection-to-arbitrary-side-effect path on the local machine.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The README encourages broad natural-language commands such as switching orgs or inviting users without clearly constraining which actions require explicit confirmation or narrow command syntax. In an agent setting, this increases the chance that ambiguous user text or prompt-injected content could trigger unintended administrative or data-sharing actions.

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
The description advertises memory as shared with every teammate in the org by default, without emphasizing consent, workspace segregation, or opt-in controls. This creates a real risk of oversharing sensitive prompts, outputs, or operational context across users who may not expect broad visibility.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The function writes a backup and then atomically replaces the user's config file without any visible warning, prompt, or confirmation. Silent persistence of security-relevant configuration changes is dangerous because users may be unaware that plugin/tool permissions were broadened, preventing informed consent and making later compromise harder to detect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code persistently changes the hivemind plugin's autoUpdate setting in the user's config with no user-facing confirmation. Changing update policy can materially affect supply-chain risk and runtime behavior, so doing it silently undermines user control over trust and maintenance decisions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The agent_end hook automatically serializes user and assistant messages, optionally embeds them, and sends them to remote Deeplake storage without a just-in-time disclosure at the capture point. Because this operates on full conversation content and is enabled by default unless autoCapture is disabled, sensitive data can be exfiltrated to shared remote storage during ordinary usage.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This code spawns multiple external AI agent CLIs in explicitly dangerous modes without any confirmation or containment, granting them broad ability to act on the host. If an attacker can influence the prompt or selected agent, the subprocess may perform unauthorized file writes, command execution, or data exfiltration under the current user's privileges.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest advertises 'auto-capture and auto-recall across sessions, agents, and teammates' but does not describe any gating conditions, scope limits, or consent requirements. In a cloud-backed memory skill, this broad language can normalize silent collection or resurfacing of potentially sensitive data, increasing the risk of unintended disclosure and privacy violations.

Missing User Warnings

High
Confidence
95% confidence
Finding
The description explicitly promotes cloud-backed shared memory and auto-capture, yet provides no warning about remote persistence, organizational sharing, or retention of captured content. Because the skill is designed to operate across sessions, agents, and teammates, missing disclosure materially increases the chance that users expose confidential prompts, internal data, or regulated information to a broader audience than intended.

Ssd 3

High
Confidence
96% confidence
Finding
The skill states that conversations are automatically captured after each turn and shared team-wide, which directly creates a data leakage channel for secrets, credentials, proprietary code, or regulated data discussed in chat. Because capture is automatic, users and downstream agents may disclose sensitive information before realizing it is being persisted remotely and exposed to teammates.

Ssd 3

High
Confidence
98% confidence
Finding
The privacy section explicitly says every user and assistant message is sent to an external API, which is a direct exfiltration pathway from the agent environment to a third-party service. In environments where chats may contain secrets, customer data, or internal code, this behavior materially increases confidentiality and compliance risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The injected prompt instructs the agent to always consult org-shared memory for recall requests, and the registered tools can read summaries and raw session records from shared storage. In a shared organizational context, that increases the chance that one user's normal query causes retrieval and disclosure of another user's historical session content or derived summaries without need-to-know checks.

Ssd 3

Medium
Confidence
90% confidence
Finding
The onboarding and welcome text normalizes that agents 'share memory across sessions, teammates, and machines,' while the plugin also auto-captures conversation messages in the background. This framing can lead users to unknowingly place sensitive information into broadly shared memory, increasing the risk of later cross-user disclosure.

VirusTotal

61/61 vendors flagged this plugin as clean.

View on VirusTotal