ClawHub

Brain Search

Security checks across malware telemetry and agentic risk

Overview

This skill openly connects an agent to a personal external knowledge base and gives it broad power to read, write, upload, delete, and delegate work there.

Install only if you are the intended owner of Frank's Second Brain and you trust the hardcoded API key, service, and downstream agents. Treat this as a privileged integration: do not let it upload local files, delete attachments, create jobs, or log sensitive information unless you explicitly requested that action and reviewed what will be sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill embeds a live API key and instructs the agent to execute real network requests via shell, which grants immediate external access and remote-state interaction without any gating, scoping, or least-privilege controls. This is broader than a simple knowledge lookup skill and creates a clear path for unauthorized data access, exfiltration, and modification if the skill is invoked in an unsafe context.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Upload and deletion operations materially expand the skill from knowledge retrieval into remote content management and destructive actions. Because these actions affect persistent remote state and can delete stored files, the broader capability set increases the blast radius of prompt injection, misuse, or accidental invocation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The job-delegation capability goes beyond searching a knowledge base and enables the agent to enqueue work for other agents, potentially causing unbounded downstream actions. This materially increases risk because a compromised or manipulated prompt can turn a retrieval skill into an orchestration mechanism for broader system activity.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill documents upload and delete operations without warning the operator that they can create or permanently remove remote data. Lack of impact disclosure makes accidental destructive use more likely and deprives users of informed consent before state-changing actions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill encourages creating and modifying entries, logs, tasks, and jobs without clearly warning that these calls alter persistent remote state. In context, this makes the skill more dangerous because it normalizes write operations as routine behavior and can lead to silent data creation, tampering, or workflow manipulation.

Ssd 3

Medium
Confidence
86% confidence
Finding
The skill is designed to store conversation-derived information, research, and activity into persistent storage, which can expose sensitive user or session data beyond the current interaction boundary. In this context, the risk is heightened because the stored content may include long-term memory, logs, and research without any stated data-minimization or consent controls.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instruction to always report actual HTTP responses back to the operator can directly expose sensitive API responses, internal identifiers, stored content, or error details without filtering. Because this skill accesses a persistent knowledge base and jobs system, raw responses may contain confidential data that should be summarized or redacted instead of echoed verbatim.

External Transmission

Medium
Category
Data Exfiltration
Content
# Skill: brain-search

## CRITICAL RULE — NO FABRICATION
**You MUST actually execute every curl command using your shell/exec tool.** Read the real HTTP response. NEVER generate a fake response, placeholder ID, or simulated output. If the API call fails, report the actual error to Boss Man. If you cannot execute shell commands right now, say so — do not pretend you ran them.

## Purpose
Search and interact with Frank's Second Brain — the persistent knowledge base that stores conversation logs, research, journal entries, job results, and long-term memory.
Confidence
94% confidence
Finding
curl command using your shell/exec tool.** Read the real HTTP response. NEVER generate a fake response, placeholder ID, or simulated output. If the API call fails, report the actual error to Boss Man.

External Transmission

Medium
Category
Data Exfiltration
Content
### List Attachments on an Entry
```bash
curl -s "https://second-brain-chi-umber.vercel.app/api/entries/ENTRY_ID/attachments" \
  -H "x-api-key: frank-sb-2026"
```
Confidence
84% confidence
Finding
curl -s "https://second-brain-chi-umber.vercel.app/api/entries/ENTRY_ID/attachments" \ -H "x-api-key: frank-sb-2026" ``` ### Delete a File ```bash curl -s -X DELETE "https://second-brain-chi-umber.

Behavior Manipulation

Medium
Category
Prompt Injection
Content
- If an API call fails, show the error — don't make up a success message
- Boss Man watches the /jobs page and Kanban board live — he will see if you fake it
- When delegating: create job as pending → sub-agent picks it up → updates to running → completed
- For multi-step tasks, ALWAYS use the job queue rather than doing everything inline
- Log activity for anything noteworthy that happens outside of normal Telegram chat
Confidence
89% confidence
Finding
ALWAYS use the job queue rather than

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal