jinn-node

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent Jinn worker purpose, but it needs Review because it asks for broad access to wallet funds, credentials, private chat history, background jobs, and public posting workflows.

Install only if you are comfortable with an agent that can work with a funded wallet, local credentials, GitHub/Gemini auth, OpenClaw conversation history, Supabase writes, and scheduled background tasks. Use a separate low-value wallet, least-privilege tokens, avoid broad .env discovery, do not provide service-role credentials unless you understand their scope, and enable profiling or WhatsApp cron jobs only after explicit opt-in and with a removal plan.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (11)

Description-Behavior Mismatch

Medium

Confidence: 96% confidence
Finding: The skill instructs the agent to scan recent session logs and derive a persistent preference profile including interests, expertise, frustrations, and venture-relevant intents. That expands the skill from explicit Launchpad actions into ongoing behavioral profiling, creating unnecessary local surveillance risk and increasing the chance that sensitive conversational data is repurposed beyond the user’s immediate request.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: Reading broad local conversation history from session logs to infer topics, frustrations, and expertise is not necessary for basic venture browsing or posting actions. Even if the profile is kept local, this creates a privacy-invasive data aggregation capability that could expose sensitive user behavior if the files are later accessed, leaked, or reused by other automations.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The cron setup enables autonomous recurring scans of local sessions and proactive outreach over WhatsApp without a clear opt-in flow in the skill itself. Scheduled background analysis plus external messaging materially increases privacy and abuse risk because the agent can initiate actions outside the user’s active session context.

Context-Inappropriate Capability

High

Confidence: 99% confidence
Finding: The guide instructs the agent to search the user's home directory for arbitrary `.env` files and reuse secrets that may belong to unrelated projects. This violates least-privilege and creates a clear path for credential harvesting, accidental cross-project secret reuse, and exposure of sensitive tokens far beyond what is necessary to configure this skill.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The setup guide directs access to `~/.gemini/oauth_creds.json`, a credential file outside the project boundary. Even if intended as convenience, instructing an agent to inspect home-directory auth material broadens credential access unnecessarily and risks misuse or disclosure of unrelated account credentials.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill explicitly instructs the operator to solicit sensitive secrets from the user and persist them into a local `.env` file, but it does not warn about the sensitivity of those values, how they will be stored, or the risks of leakage through logs, backups, shell history, or accidental commits. In this context, the requested values include API keys, RPC endpoints, GitHub tokens, and a wallet encryption password tied to a crypto workflow, so mishandling could expose accounts, funds, or code repositories.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The activation rules include very common phrases like 'I wish...' and 'Is there a way to...' that appear in ordinary conversation unrelated to Launchpad participation. Overbroad triggers can cause unintended invocation of the skill, which is especially risky here because the skill can read local files, build profiles, and prepare external actions.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The top-level description states that the skill builds a persistent preference profile from conversation history, but it does not present a clear upfront consent requirement or prominent warning before that behavior occurs. Silent persistence of inferred user traits is a privacy vulnerability because users may engage for Launchpad browsing without understanding that broader history will be mined and stored.

Natural-Language Policy Violations

Low

Confidence: 87% confidence
Finding: The cron configuration hardcodes WhatsApp as the outbound channel for the morning brief without indicating user choice or opt-in. While lower severity than profiling itself, forcing a specific messaging channel can leak activity patterns or unwanted notifications to an external service and violates least surprise.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The instructions tell the agent to surface discovered secret values such as RPC URLs, passwords, and tokens back to the user in plain language. This creates unnecessary secret handling and increases the chance of credentials being exposed in chat logs, terminal history, screenshots, or other transcripts.

Ssd 3

High

Confidence: 99% confidence
Finding: This section explicitly directs the agent to search for sensitive credentials in existing `.env` files and reveal them to the user. That behavior is dangerous because it normalizes secret exfiltration from unrelated files and may expose passwords, API keys, and tokens that should remain compartmentalized.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal