ClawHub

Nirvana

Security checks across malware telemetry and agentic risk

Overview

This plugin is privacy-themed and mostly coherent, but it can automatically send prompts and stripped context to cloud providers while also reading sensitive agent files and storing local audit or cache data.

Install only if you are comfortable with automatic cloud fallback and local persistence of audit, metrics, and response data. For sensitive work, disable cloud fallback, keep enforceContextBoundary enabled, avoid weakening identityFilesNeverExport, review audit/cache retention, and do not run the migration log-deletion command until backups and retention needs are confirmed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (17)

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The module claims to enforce a privacy boundary and never export identity files, but `strip()` returns the original context unchanged whenever `enforceContextBoundary` is false. In a privacy/security component, a fail-open path like this can expose the exact sensitive files and metadata the component says it prevents from leaving the system, especially if configuration is absent, mis-set, or attacker-influenced.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The header states certain identity files are 'never exported', but `reconfigure()` allows callers to replace `identityFiles` entirely, removing those protections at runtime. If an untrusted plugin, caller, or misconfiguration can invoke reconfiguration, the privacy boundary becomes mutable and sensitive identity/memory files may be sent to cloud APIs contrary to the documented guarantee.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The comment says queries mentioning identity or personal information should be routed locally, but the actual routing only treats privacy as one scoring factor. In hybrid mode, privacy-sensitive queries can still be routed to cloud or hybrid paths, creating a mismatch between developer expectations and real data-handling behavior that may expose sensitive user input to external providers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The installation guide encourages enabling cloud fallback and configuring a third-party model provider, but it does not clearly warn that prompts and possibly sensitive context may be transmitted outside the local environment. In a project explicitly marketed around local inference and privacy protection, this omission is security-relevant because users may believe privacy guarantees still hold after enabling the feature.

Missing User Warnings

High
Confidence
98% confidence
Finding
The guide provides a configuration snippet to disable privacy enforcement while only labeling it 'Not Recommended,' which is insufficient for a control that appears to govern context-boundary protection. If applied, users could unintentionally allow sensitive data to cross intended boundaries, undermining the stated privacy model of the system.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The guide includes `rm` commands that delete audit and metrics logs while describing the backup as optional, but it does not give a clear warning that this permanently removes operational and forensic history. In a migration document, readers may copy-paste commands directly, causing accidental loss of records needed for troubleshooting, compliance, or incident response.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README promotes cloud fallback and local audit/memory persistence, but it does not clearly warn that user prompts, agent-generated content, or derived context may be transmitted to third-party providers and retained in local files when these features are enabled. In an agent setting, users may reasonably infer that 'privacy-preserving' and 'never exports' guarantees are comprehensive, which can lead to accidental disclosure of sensitive data despite partial context stripping.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill advertises itself as 'local-first' and privacy-preserving, but the documented behavior includes automatic fallback to Anthropic/OpenAI/Gemini when the router deems it necessary. Users may reasonably assume their prompts stay local unless they explicitly opt into cloud use, so insufficient disclosure can cause inadvertent transmission of sensitive prompts to third-party providers.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The schema enables cloud fallback by default and defines cloud models, but it does not encode clear constraints tying fallback to privacy enforcement, consent, or explicit data minimization conditions. In a skill that may process sensitive agent context, this broad fallback behavior increases the risk of unintended transmission of user or workspace data to third-party APIs when local inference fails.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The manifest explicitly advertises a cloud fallback while also requesting read access to user/context files and write access to memory and session state, but it does not provide any explicit user-facing warning, consent gate, or transmission policy in the manifest. In an infrastructure/query-router plugin, this combination is materially risky because sensitive prompt context could be routed externally and local memory/session data could be modified without users clearly understanding when that happens.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends user queries and stripped context to a cloud provider via openclaw.query(), but there is no evidence in this file of consent, disclosure, or an explicit opt-in before external transmission. In a privacy-sensitive AI routing plugin, silent off-device transfer can expose sensitive prompts or partially redacted context to third parties, especially if stripping is incomplete or misconfigured.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The query:before hook logs raw query and context for privacy auditing when auditLog is enabled, but this file shows no minimization, consent, retention control, or user-facing disclosure. Audit logs frequently become a secondary data-exposure surface because they may contain secrets, personal data, or proprietary context and are often accessed more broadly than primary runtime data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The exportLog method writes the full in-memory audit log to any caller-supplied outputPath without validation, restriction, or confirmation. Because audit entries can contain context keys, violation details, and operational metadata, this can enable unintended disclosure of sensitive audit/compliance data or overwriting files in attacker-chosen locations if an untrusted path is provided.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code stores full cloud response text in a local cache without any consent, data-classification checks, redaction, encryption, or retention controls. If responses contain sensitive prompts, secrets, personal data, or regulated content, local caching increases the exposure surface and can lead to unintended persistence or later disclosure through other components that can read the cache.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
When local inference is unavailable or disabled, the router automatically falls back to a cloud model if cloud access exists. This can transmit user queries to third-party providers without any explicit consent, notice, or policy check in this code path, which is risky if queries contain sensitive or regulated data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The hybrid routing path explicitly chooses a cloud validation model, meaning prompts handled primarily locally may still be sent off-device for validation. Without clear disclosure, consent, or redaction, users may reasonably believe processing remains local when their data is actually shared externally.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
In the default hybrid scoring flow, lower local scores automatically result in cloud routing with no evidence of user notification or consent. Because routing decisions are based on prompt content characteristics rather than data sensitivity controls, ordinary user input may be sent to external services unexpectedly.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal