ClawHub

EvoMap Dashboard

Security checks across malware telemetry and agentic risk

Overview

This EvoMap dashboard has real review concerns because it includes embedded node secrets, broad local-network exposure, and an unrelated remote publishing script.

Install only after reviewing the source and trusting the publisher. Do not enter secrets for accounts or nodes you are not authorized to access. The embedded credentials should be removed and rotated, publish.py should be deleted or split into a separate disclosed tool, and the dashboard should bind only to localhost with restricted CORS before normal use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill advertises and instructs network access to an external service, yet no explicit permissions are declared. This creates a transparency and consent problem: an agent or user may invoke it as if it were local-only while it actually transmits sensitive credentials and data over the network.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose is a local read-only dashboard, but the described behavior includes proxying authenticated requests to an external service and static analysis indicates additional publish/write functionality unrelated to viewing status. This mismatch is dangerous because it can mislead users and agents into exposing credentials or triggering remote actions they did not authorize.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The UI explicitly tells users that credentials are only used locally and will not be uploaded to any third party, but the JavaScript later sends the Node Secret and Node ID in HTTP headers to backend endpoints via fetch. This is a trust-breaking mismatch involving sensitive credentials; users may disclose secrets under false assumptions, and the backend or any same-origin service receiving them can access and misuse the credentials.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The code hardcodes a default EvoMap node ID and secret, then silently uses them whenever the caller omits headers. This creates an undocumented backdoor-like credential path that grants access unrelated to the user's own node and directly contradicts the stated behavior of using user-supplied credentials.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
A reusable secret is embedded directly in source code for a tool whose purpose is only to launch a local dashboard viewer. Hardcoded secrets are easily exfiltrated, reused by anyone with code access, and can enable unauthorized access to the associated EvoMap node or account.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The module documentation says authentication comes from request headers for any node, but the implementation substitutes built-in credentials when none are provided. This deceptive mismatch hides privileged behavior from users and reviewers, increasing the likelihood of unauthorized access going unnoticed.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill metadata says it launches a local dashboard viewer, but the code instead iterates over multiple capsules and publishes them to a remote EvoMap hub. This is a strong capability mismatch: users invoking a local viewer would not reasonably expect authenticated outbound content publication, making the behavior deceptive and dangerous.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code constructs an authenticated POST request to https://evomap.ai/a2a/publish and uploads generated asset content, which is unrelated to a local dashboard viewer. In the context of this skill, remote publishing is unjustified and creates covert exfiltration and unauthorized remote-action risk.

Context-Inappropriate Capability

Medium
Confidence
99% confidence
Finding
The file embeds a node ID and bearer secret, then uses them for authenticated hub operations despite the skill claiming to only launch a local viewer. Hardcoded credentials in distributable code are inherently unsafe and, in this context, indicate unauthorized account use or credential leakage.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documentation's broad trigger scope makes it easy for an agent to select this skill in situations involving someone else's node data, despite the lack of authorization checks in the description. That ambiguity increases the chance of misuse and unnecessary exposure of sensitive credentials.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The documentation's broad trigger scope makes it easy for an agent to select this skill in situations involving someone else's node data, despite the lack of authorization checks in the description. That ambiguity increases the chance of misuse and unnecessary exposure of sensitive credentials.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill asks users to enter a sensitive Node Secret but does not provide a prominent warning about the risks of transmitting and handling that secret. Without explicit notice, users may underestimate the sensitivity of the credential and share it in unsafe contexts or with automation they do not fully trust.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code stores the Node ID and Node Secret in sessionStorage and transmits the secret in an Authorization header, but the user-facing messaging does not clearly and accurately warn about this handling; in fact, other text suggests the opposite. In a dashboard skill whose stated purpose is to work with any Node ID + Node Secret combination, this increases the sensitivity because it encourages entry of reusable credentials that can be exposed to same-origin scripts, browser compromise, or backend logging.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill handles a sensitive node secret without any user-facing disclosure that a real credential is embedded and may be used automatically. In this context, the omission is dangerous because the skill is marketed as a generic local viewer, making hidden credential use especially misleading and likely to expose unauthorized account data.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The application sends Authorization bearer tokens to a remote service without clear disclosure to the user that credentials are being transmitted. Because this is presented as a local dashboard viewer and binds to 0.0.0.0 with permissive CORS, the context makes silent remote authenticated requests more risky and potentially accessible from other origins on the network.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The package description claims users can view any EvoMap node data using any Node ID and Node Secret combination, which is an overly broad access claim with no stated authorization boundaries or scope restrictions. In a dashboard skill handling node status, tasks, reputation, and assets, this language suggests possible unauthorized access to sensitive data and normalizes use beyond an intended owner or invite-based access model.

Missing User Warnings

High
Confidence
100% confidence
Finding
A hardcoded bearer token is present directly in the file and is used to authorize remote publishing. Anyone with access to the skill code can extract and misuse this credential, potentially impersonating the node and performing unauthorized actions against the hub.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill sends capsule content and metadata such as platform and architecture to a remote endpoint without clear upfront disclosure to the user. Even if the transmitted data is not highly sensitive by itself, undisclosed outbound transfer violates user expectations and can leak environment details or proprietary content.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The manifest description advertises that the skill 'works with any Node ID + Node Secret combination' and can launch a dashboard without clear trigger or authorization constraints. This broad activation language increases the chance the agent will invoke the skill in inappropriate contexts or treat arbitrary credentials as acceptable input, which is especially risky for a tool handling node secrets and local dashboard access.

Ssd 3

High
Confidence
96% confidence
Finding
The instructions normalize use of arbitrary Node ID and Node Secret pairs, which semantically endorses collecting or using credentials for accounts beyond the user's own. In context, this is especially dangerous because the skill directly connects to a live external service, so unauthorized credentials could immediately expose private node data or permit account actions.

Ssd 3

High
Confidence
95% confidence
Finding
Feature text that says users can enter 'any' credentials to view node data promotes access to sensitive information based solely on possession of a secret, without emphasizing authorization boundaries. Because the skill is framed as a convenient dashboard, this can reduce user caution and make credential misuse seem acceptable.

VirusTotal

56/56 vendors flagged this skill as clean.

View on VirusTotal