ClawHub
Back to skill

Security audit

Cnexus2 Cognitive Os

Security checks across malware telemetry and agentic risk

Overview

This is a local second-brain app, but it exposes unauthenticated local APIs and can send chat, memory, embeddings, or uploaded content to configured model services despite strong offline/local messaging.

Install only if you are comfortable running a local web service that stores and exposes conversation/upload-derived memory through localhost APIs. Keep it bound to 127.0.0.1, do not expose the port to a network, avoid visiting untrusted sites while it is running, and review any OPENAI_API_KEY, DEEPSEEK_API_KEY, OLLAMA_HOST, or model settings before use. Do not upload sensitive documents unless you have disabled remote providers and are comfortable with the app’s memory consolidation and pruning behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (39)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
"download_url": "https://ollama.com/download",
        }
    try:
        subprocess.Popen(
            [binary, "serve"],
            stdout=subprocess.DEVNULL,
            stderr=subprocess.DEVNULL,
Confidence
87% confidence
Finding
subprocess.Popen( [binary, "serve"], stdout=subprocess.DEVNULL, stderr=subprocess.DEVNULL, creationflags=getattr(subprocess, "CREATE_NO_WINDOW",

Tainted flow: 'req' from os.environ.get (line 1672, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
if api_key and not is_ollama:
        headers["Authorization"] = f"Bearer {api_key}"
    req = urlrequest.Request(url, data=data, headers=headers, method="POST")
    with urlrequest.urlopen(req, timeout=120) as resp:
        payload = json.loads(resp.read().decode("utf-8", errors="replace"))

    reply = ""
Confidence
95% confidence
Finding
with urlrequest.urlopen(req, timeout=120) as resp:

Tainted flow: 'req' from os.environ.get (line 1672, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
            method="POST",
        )
        with urlrequest.urlopen(req, timeout=5.0) as response:
            res_data = json.loads(response.read().decode("utf-8", errors="replace"))
            vector = res_data.get("embedding") or []
            if vector:
Confidence
93% confidence
Finding
with urlrequest.urlopen(req, timeout=5.0) as response:

Tainted flow: 'req' from os.environ.get (line 1672, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
},
            method="POST",
        )
        with urlrequest.urlopen(req, timeout=12.0) as response:
            res_data = json.loads(response.read().decode("utf-8", errors="replace"))
            vector = None
            if isinstance(res_data.get("embedding"), list):
Confidence
96% confidence
Finding
with urlrequest.urlopen(req, timeout=12.0) as response:

Tainted flow: 'req' from os.environ.get (line 1672, credential/environment) → urllib.request.urlopen (network output)

Critical
Category
Data Flow
Content
headers={"Content-Type": "application/json"},
            method="POST",
        )
        with urlrequest.urlopen(req, timeout=30.0) as response:
            res_data = json.loads(response.read().decode("utf-8", errors="replace"))
            raw_text = res_data.get("response", "")
            return _parse_visual_relationships(raw_text)
Confidence
91% confidence
Finding
with urlrequest.urlopen(req, timeout=30.0) as response:

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The UI exposes unauthenticated introspection endpoints such as memory dumps, execution traces, cognitive state, skill graph, and a reset operation. Even if intended for local debugging, these endpoints disclose sensitive internal state and enable destructive actions without access control, which becomes risky if the service is bound beyond localhost, proxied, or accessed by untrusted local users or browser contexts.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The upload endpoint accepts arbitrary unauthenticated content and feeds it directly into the engine via api_converse, effectively turning file upload into prompt/data ingestion. This expands the attack surface beyond a simple local UI and can lead to sensitive data ingestion, prompt-injection-style manipulation of engine behavior, resource abuse, and unintended persistence of uploaded content.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill claims to be a local digital second-brain, yet this code can transmit user prompts and memory context to external LLM providers. That mismatch is security-relevant because users are likely to trust the local-first description and may disclose sensitive data they would not share if remote processing were clearly disclosed.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
The application includes a host-level capability to discover and launch the Ollama binary, which exceeds a typical assistant's need to merely talk to a local service. Embedded process-control features are dangerous when exposed through network-accessible APIs because they let the application change host runtime state, not just serve responses.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The code harvests host API keys from environment variables to enable cloud embedding fallback, despite the skill being presented as local-first. This expands trust boundaries and can silently convert local content processing into third-party transmission when keys happen to be present on the host.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
The generated output states that the personal edition does not depend on Ollama or external API keys, but the runtime clearly can use both. Security-relevant false assurances can mislead users and operators about where data is processed and what dependencies are active, undermining informed consent and incident response.

Intent-Code Divergence

High
Confidence
94% confidence
Finding
This insight text says the kernel runs without external LLMs, yet other code paths can invoke external providers for chat. Misrepresentation of data flow and execution environment is dangerous in privacy-sensitive assistant software because it causes users to trust an isolation boundary that may not exist.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code prepends a hard-coded external directory to sys.path, causing Python imports to resolve from that location before the packaged skill code. This creates a code-injection and module-hijacking risk: anyone able to modify that directory can influence imported modules such as src.kernel or src.llm_adapter and execute arbitrary code in the agent context.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The adapter sends user input plus memory-derived context to an HTTP endpoint, which creates a data exposure path inconsistent with the 'local cognitive OS' expectation. Even when targeting localhost, this can leak sensitive internal state to another service without clear trust boundaries, authentication, or minimization.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The prompt template is designed to impersonate a specific speaker using historical statements and psychological framing, which enables deceptive output generation. In a cognitive assistant context, this increases the risk of fraud, social engineering, and unauthorized identity simulation rather than serving a neutral assistant purpose.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The UI repeatedly markets the product as a 'pure offline' or local-only experience, but the code performs network interactions to localhost services, same-origin APIs, and also references external endpoints such as ollama.com/download and DeepSeek-related configuration paths. This is dangerous because it misleads users about the app's trust boundary and data exposure model, causing them to enter sensitive information under false assumptions about connectivity and isolation.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The bundle contains explicit support for cloud LLM providers and outbound webhook delivery, including OpenAI, Anthropic, DeepSeek, and arbitrary webhook URLs. That conflicts with the product's stated 'local-only' cognitive OS positioning and creates a real risk that user prompts, memory, or other sensitive cognitive data can be transmitted off-device to third parties.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
This module performs broad remote API, WebSocket, EventSource, file upload, chat, memory, and gateway operations despite the skill metadata emphasizing a local runtime. The mismatch is security-relevant because operators and users may trust the app with highly sensitive data under a local-only assumption while the code is designed to communicate extensively with remote services.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The specification allows an unconstrained `summary` field intended for debugging, but provides no limits, redaction requirements, or prohibition on including secrets, prompts, user content, tokens, file contents, or other sensitive runtime data. In a cognitive/trace-heavy local agent system, developers commonly dump rich context into debug fields, which can turn the trace into a secondary data-exfiltration and privacy-leak surface, especially if traces are persisted, exported, or inspected by other components.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The spec explicitly writes a synthesized narrative of each iteration into a persistent Block Store but provides no requirement for user notice, consent, retention limits, or controls over what trace-derived content is stored. In a 'digital second brain' / cognitive runtime context, these narrative records can accumulate sensitive behavioral, intent, and usage metadata over time, creating privacy and surveillance risk if accessed, retained unexpectedly, or repurposed.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The reflective Block stores a self-summary derived from the iteration trace, which may encode internal reasoning-adjacent metadata, inferred intent, anomalies, and behavioral patterns, yet the spec contains no user warning or privacy boundary for this persistent logging. Because the broader skill is framed as a local cognitive OS with memory, this makes undisclosed long-term profiling of user interactions and system inferences more plausible and therefore more dangerous.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The spec mandates persistent storage of interaction-derived data every round, including episodic summaries and emotion labels, but provides no requirement for user notice, consent, retention controls, or opt-out. In a 'digital second brain' context, this increases privacy risk because sensitive conversational content and inferred emotional state may be stored by default without the user's informed awareness.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The description states that the system performs automatic memory pruning and compression, including deleting 'garbage memory,' without warning users about data loss, reversibility, retention policy, or controls. In a 'second brain' product, silent deletion or irreversible summarization can destroy user data or alter records in ways the user does not expect.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mentions fallback to a cloud Embedding API while marketing itself as local-first, but does not warn that user prompts, memory content, code, or metadata may be transmitted off-device. This is a material privacy and data-governance risk, especially for a knowledge-memory system likely to process sensitive personal or proprietary information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Uploaded file contents are decoded and passed into the conversation pipeline, and the code path stores inputs in memory that are later retrievable through memory_dump and related introspection responses. Users are not warned that uploaded content may persist in memory and be exposed via debug endpoints, creating a privacy and data leakage risk for sensitive files.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal