Back to skill

Security audit

TARDIS

Security checks across malware telemetry and agentic risk

Overview

The core time tracker appears legitimate, but the package also includes broad secret loading, public webhook tunneling, and background service behavior that users should review before installing.

Install only if you want the networked notification and webhook features, not just a local timer. For local-only use, avoid SendGrid, Discord webhooks, cloudflared/ngrok tunnels, and check-webhook-services.sh. If you do use webhooks, enable SendGrid signature verification, restrict who can edit meters.json and HEARTBEAT.md, review what data is sent to SendGrid and Discord/OpenClaw, and replace broad .env loading with a dedicated least-privilege config.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (40)

Lp3

Medium
Category
MCP Least Privilege
Confidence
94% confidence
Finding
The skill documentation describes capabilities that require environment access, file I/O, networking, and shell execution, but no corresponding permissions are declared. This creates a transparency and consent problem: an operator may invoke a seemingly simple time-tracking skill without understanding that it can access secrets, write persistent files, send network traffic, and run local commands.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The declared purpose is a tamper-evident elapsed-time tracker, but the documented behavior expands into email sending, webhook ingestion, Discord posting, event logging, tunnel/service management, and career calculations. Large undocumented scope increases attack surface and makes risky capabilities harder for users and reviewers to evaluate, especially when network-facing services and automated actions are bundled into a utility skill.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The README advertises capabilities well beyond the declared meter-management scope, including email delivery, webhook ingestion, Discord forwarding, and agent-action triggers. That scope expansion increases attack surface and can mislead operators or downstream agents into enabling networked behaviors and instruction-execution paths that are not obvious from the skill metadata.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest description omits milestone automation, notifications, and career-planning functionality that materially change what the skill does. Incomplete disclosure can cause users to enable automation or external messaging features without realizing they are part of the package.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest does not disclose that the skill can run an HTTP webhook server and integrate with Discord webhooks. Network-facing listeners and outbound webhook posting are security-significant behaviors, and hiding them behind a generic time-tracker description undermines informed consent and risk review.

Context-Inappropriate Capability

High
Confidence
89% confidence
Finding
Discord webhook posting is not necessary for the core purpose of tracking elapsed time, yet it introduces outbound exfiltration and notification-channel abuse potential. If milestone or email event data is forwarded automatically, sensitive user event metadata can leave the local environment and appear in third-party channels.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
A webhook server for engagement and deliverability tracking is unrelated to the core hour-meter function and materially increases risk by exposing an HTTP endpoint and processing external events. Even if intended for convenience, network listeners invite abuse, misconfiguration, and data collection beyond user expectations for a local timer utility.

Description-Behavior Mismatch

Medium
Confidence
86% confidence
Finding
The whitepaper documents a `career` earnings/projection command that is outside the stated supported operations for the skill. Undocumented or manifest-mismatched capabilities increase the risk of hidden functionality, mis-scoped agent behavior, and user consent failures because operators may enable or trust a skill for one purpose while it performs another.

Context-Inappropriate Capability

Medium
Confidence
78% confidence
Finding
A career earnings/projection feature materially expands the skill from elapsed-time tracking into financial estimation, which is not justified by the stated tamper-evident hour-meter purpose. This scope creep can lead to misuse, overcollection of sensitive inputs such as pay rates, and unexpected processing that users did not anticipate from the skill's description.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
This script manages a SendGrid webhook listener and a Cloudflare tunnel, which is unrelated to the stated purpose of an hour-meter skill. In the context of a time-tracking utility, hidden network-exposed service management is highly suspicious because it can create covert external access paths and indicates behavior outside user expectations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads secrets from /root/.env and injects a Discord webhook value into a subprocess even though the skill is supposed to track elapsed time. Accessing host-level secrets unrelated to the advertised functionality is dangerous because it broadens credential exposure and suggests undisclosed outbound communications.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The implementation materially exceeds the stated skill scope by adding milestone notifications, email/network behavior, and extra operating modes beyond the manifest. Scope drift matters because users and reviewers may trust the manifest while the code performs additional actions, including external transmission paths that are not obvious from the description.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill automatically reads arbitrary .env files and imports their contents into process environment variables, then uses external email/network capabilities that are not justified by the stated hour-meter purpose. In a skill context, undisclosed credential loading plus outbound messaging is risky because it expands trust boundaries and can surprise operators with secret consumption and external data flow.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This file implements an email-event webhook server with Discord forwarding, which is materially unrelated to the stated hour-meter purpose. Capability mismatch is dangerous because it introduces hidden network-facing behavior and data-handling paths that users would not reasonably expect from a time-tracking skill, increasing the chance of covert collection or exfiltration of operational data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code exposes an HTTP endpoint and performs outbound POST requests to Discord or an OpenClaw gateway, creating inbound and outbound network channels unrelated to the advertised functionality. In the context of an hour-meter skill, these extra capabilities significantly expand the attack surface and could be abused to relay externally supplied content or move sensitive event data off-host.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script persists SendGrid event records containing recipient addresses and engagement or bounce metadata, which is unrelated to hour-meter operation. Collecting and storing third-party email telemetry in an unexpected component creates privacy and compliance risk, and the mismatch in stated purpose makes the behavior more suspicious and dangerous.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The email notification feature sends meter names, milestone messages, elapsed time, descriptions, and related event data to an external email provider, but the documentation does not give a clear privacy warning. Users may track highly sensitive personal events, so transmitting this metadata off-device can create unintended exposure.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The webhook workflow collects recipient engagement and deliverability telemetry such as opens, clicks, bounces, unsubscribes, and spam reports without a prominent privacy warning. This can capture behavioral metadata about email recipients and relay it into logs or Discord, which may violate user and recipient expectations.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The whitepaper promotes automatic milestone notifications and third-party routing but does not clearly warn that meter names, descriptions, milestone messages, channels, and targets may reveal sensitive personal information when sent externally. In this skill's context, examples include sobriety, pregnancy, career, and health-related milestones, making silent transmission to Discord, Telegram, SMS, or webhooks a meaningful privacy risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The cloud sync recommendation encourages copying plaintext `meters.json` and witness logs to third-party storage without a clear warning that these files can contain sensitive life-event, health, project, or equipment data. Because the skill is explicitly used for potentially intimate milestones and stores data unencrypted, this can expose users to privacy leakage or unauthorized access through cloud provider compromise, shared accounts, or misconfiguration.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
Sourcing sensitive environment data from /root/.env and forwarding a webhook credential to a child process without disclosure can expose secrets to unintended code paths, logs, and process inspection. Even if the value is quoted on invocation, the behavior violates least privilege and conceals credential use from the operator.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script automatically launches and restarts background services with nohup and no user confirmation. In a skill that should only track elapsed time, silently creating persistent background processes and network tunnels increases the risk of unauthorized exposure, surprise resource usage, and stealthy behavior.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The code silently reads .env files from the current directory, the user's home directory, and /root, importing variables without user-facing disclosure. In a skill or agent setting, hidden secret ingestion is dangerous because users may not realize the tool is consuming ambient credentials, and a hostile workspace could plant a .env file that alters behavior unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Locking a meter automatically persists meter name, timestamp, paper code, and full integrity hash to a witness file without affirmative consent at the moment of write. Because the witness file is specifically intended for cloud sync, this can unintentionally disclose sensitive personal event names or verification data into broader storage and backup systems.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The milestone checker can send meter names, descriptions, and milestone messages to SendGrid automatically when conditions are met, without a contemporaneous user prompt. In the skill context, this is more dangerous because a utility advertised mainly as a local hour meter quietly gains external notification behavior that may reveal sensitive life events or schedules.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.