ClawHub

ClawSeal

Security checks across malware telemetry and agentic risk

Overview

ClawSeal appears to provide the advertised signed memory feature, but it also installs an always-on local memory server with weak access controls and automatic persistence.

Review carefully before installing. Only install if you are comfortable with a persistent local service on port 5002 that stores long-term agent memories. Avoid storing secrets or regulated personal data, restrict or remove broad CORS, add authentication or a local token before real use, and confirm you know how to stop, disable, and remove the launchd/systemd service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill declares no permissions while explicitly using shell-based installation and verification commands. This creates a transparency and consent problem: an operator may approve the skill expecting passive documentation, but the skill can execute local commands and alter the environment during install or verification.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented purpose emphasizes cryptographic memory, but the described behavior also includes package installation, local server startup, and OS/service integration beyond simple memory storage. This mismatch is dangerous because it can conceal a much broader execution and persistence footprint than users reasonably expect from the description, increasing supply-chain and local attack-surface risk.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The server enables CORS globally for endpoints that read and write persistent memory, which allows arbitrary web origins to issue browser-based requests if this service is reachable from a user's machine or a broader network. In the context of a local cryptographic memory service, exposing cross-origin access broadens the attack surface and can enable unauthorized reads or writes through a victim's browser, especially if the service is later bound beyond localhost or consumed by browser-based tooling.

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The verification endpoint does not actually verify the requested memory by ID; it performs a recall search using the supplied memory_id as a query and then returns success based on the first result. This can produce false assurances of integrity, letting callers believe a specific record's QSEAL signature is valid even when a different record was returned or no exact identity check was performed.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer creates a persistent background service that starts automatically on login/boot, which is a materially broader capability than a normal package install. Even if intended to support the local server, doing this during installation increases attack surface and persistence without prior opt-in, which is risky for an agent skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The script modifies per-user OS service configuration by writing launchd/systemd units and enabling them automatically. Persistence and service registration are sensitive actions because they survive the install session and can continuously run network-exposed code, making any later flaw in the server more impactful.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The user-facing messaging presents the action as a straightforward plugin install, but the script also establishes persistence and starts a background server. This mismatch reduces informed consent and can trick users or operators into running a service they did not expect.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation section tells users to run `bash install.sh` and only afterward explains that it registers an auto-start daemon and starts a server. That is a meaningful security-relevant side effect because it creates persistence and exposes a local service, yet the user is not clearly warned before execution or given an opt-in choice.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The examples encourage storing persistent user preferences and other memories across sessions but do not warn about retention, sensitivity, consent, or deletion. In an agent context, this can lead to quiet accumulation of personal data and unexpected long-term storage of user information.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README tells users to run `bash install.sh` and says the script installs the package and registers a daemon, but it does not present the persistence/auto-start side effect as a prominent warning before execution. Encouraging one-step execution of a local script that creates a boot-persistent background service increases the chance users will grant long-lived execution without understanding the system change.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages storing persistent user preferences, facts, and relationship data without clear guidance on retention, minimization, deletion, or user consent. This can lead to privacy harm, regulatory issues, and unintended long-term storage of sensitive personal data, especially because the feature is framed as convenient default memory.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The demo instructs an agent to store and later recall user preference and project information as persistent memory, but it provides no privacy notice, consent step, retention guidance, or warning that the data is being written to storage. Even though the example uses localhost, it normalizes silent collection of potentially sensitive user data and could lead operators to deploy similar behavior without user awareness or proper data handling controls.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The installer registers and enables an auto-start service without an explicit prior warning or confirmation. Silent persistence is dangerous because users may not realize a continuously running process has been added to their account, especially in an ecosystem where skills are expected to be limited in scope.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal