ClawHub

cnexus-cognitive-core

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a local cognitive-memory kernel, but it needs Review because it promotes persona cloning and automatically persists user-derived memory/state with limited disclosure and controls.

Review before installing. This package does not show network exfiltration, destructive actions, or hidden background persistence, but it automatically stores local user-derived state and its documentation encourages cloning real people from their text without consent safeguards. Use only with data you are authorized to process, avoid entering secrets, and prefer a version that replaces exec-based loading, scopes boot files explicitly, and makes persistence opt-in with clear delete/export controls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Dangerous chain: exec() wrapping os.path.join

Critical
Category
Dangerous Code Execution
Content
# ── Embed kernel.py inline as part of the skill ──
_execute_globals = {}
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)
CNexusOSKernel = _execute_globals['CNexusOSKernel']
Confidence
98% confidence
Finding
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)

exec() call detected

High
Category
Dangerous Code Execution
Content
# ── Embed kernel.py inline as part of the skill ──
_execute_globals = {}
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)
CNexusOSKernel = _execute_globals['CNexusOSKernel']
Confidence
97% confidence
Finding
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)

Direct flow: open (file read) → exec (code execution)

High
Category
Data Flow
Content
# ── Embed kernel.py inline as part of the skill ──
_execute_globals = {}
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)
CNexusOSKernel = _execute_globals['CNexusOSKernel']
Confidence
99% confidence
Finding
exec(open(os.path.join(os.path.dirname(__file__), 'kernel.py'), encoding='utf-8').read(), _execute_globals)

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The skill documentation broadens a cognitive-core component into persona cloning and digital-twin replication without clear constraints, provenance checks, or consent safeguards. In context, this makes the skill more dangerous because it encourages use on identifiable individuals' data and positions the system as suitable for mimicking a person's beliefs, style, and reasoning, which can enable impersonation and social engineering.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The wrapper's stated purpose is to expose a cognitive kernel, but it does so by dynamically executing source text, which is a broader capability than necessary. That mismatch increases attack surface and obscures behavior during review, making the skill more dangerous than its declared function suggests.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
Initialization searches multiple parent directories for JSON configuration files outside the immediate skill package. This expands the trust boundary to external filesystem locations, so a malicious or unintended file placed higher in the directory tree could influence boot behavior and potentially alter routing, graphing, or classification logic.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code persistently writes memory contents, execution history, and cognitive state to a local JSON file without any access controls, minimization, or disclosure. Because those structures contain user-derived input and behavioral state, this creates a confidentiality and privacy risk if the host is shared, compromised, or logs are later exfiltrated.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation instructs users to ingest months of a target person's text footprints and commit them into memory blocks, but it provides no warning about privacy, data protection, retention, or lawful basis for processing personal data. This is risky because the skill appears designed to persist and reuse personal behavioral data locally, potentially violating privacy expectations or policy requirements.

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The skill explicitly promotes cloning a person's vocabulary, stance, and syntax without any opt-in, consent, or anti-impersonation controls. In a skill marketed as a production-ready local kernel extension, this materially raises abuse potential for identity mimicry, fraud, deceptive endorsements, or highly targeted social-engineering content.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The STORE step records slices of raw user input, skill names, and execution trace data into long-lived memory structures without any visible notice, consent, or sensitivity filtering. In an agent skill context, users may provide secrets or personal data during normal interaction, so retaining this by default increases the chance of unintended disclosure through later recall, dumps, or disk persistence.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
Persisting full state to disk without visible disclosure creates covert retention of user-derived data and behavioral metadata across sessions. This is especially risky because the persisted JSON includes memory and execution history that can later be inspected, copied, or exposed by other local processes or backup systems.

Ssd 3

Medium
Confidence
96% confidence
Finding
The kernel stores user-provided input and execution artifacts under benign 'memory' semantics, then later exposes them via recall-oriented features such as memory_dump and weighted retrieval. This makes sensitive user content more likely to be retained and surfaced in future interactions, turning ordinary prompts into a durable disclosure channel.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal