ClawHub

Nirvana Plugin

Security checks across malware telemetry and agentic risk

Overview

This privacy-focused inference plugin has coherent goals, but its artifacts show that user queries can be routed to cloud models automatically and less safely than the privacy claims imply.

Review this before installing in any sensitive workspace. Use it only if you are comfortable with all queries being intercepted, local audit/cache files being written, models being downloaded, and some prompts potentially going to third-party cloud providers. For privacy-sensitive use, require a strict local-only mode with cloudFallback disabled, keep enforceContextBoundary enabled, and avoid relying on the current 'private data never leaves' claim until the cloud routing and sanitization behavior is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (17)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill advertises and documents network-capable behavior, including cloud fallback, GitHub/repository links, model downloads, and local LLM endpoints, yet no declared permissions are present. Missing permission declarations reduce transparency and can cause users or hosting platforms to grant broader trust than intended, especially for a plugin that intercepts prompts and may send sanitized content to external services.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior goes beyond the headline description by installing hooks on all queries, registering as a model provider, downloading models, writing logs/metrics, and caching cloud responses locally. For an inference-routing plugin, these hidden or underemphasized capabilities materially expand the trust boundary and create privacy and integrity risks because the skill can observe all prompts, persist sensitive derived data, and perform network-fetching side effects.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
This is a real privacy-boundary failure. The module-level comments and skill description promise that identity and sensitive context are never exported, but strip() returns the original context unchanged when enforceContextBoundary is false, allowing SOUL.md, USER.md, memory files, session state, and other private data to be sent to cloud APIs without any stripping. In a privacy-first/local-first plugin, this mismatch is especially dangerous because downstream code may trust the documented guarantee and export highly sensitive agent/user context.

Description-Behavior Mismatch

Medium
Confidence
84% confidence
Finding
The module persistently creates and appends to an audit log on disk even though the skill is described as privacy-first/local inference, which can itself create a new privacy exposure by storing sensitive metadata such as context keys, query lengths, and violation records. This is not inherently malicious, but it is a real security/privacy concern because the behavior expands data retention and leaves forensic artifacts that may be accessible to other local users, backup systems, or later export mechanisms.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The exportLog method writes the accumulated audit log to any caller-supplied output path without validation or restriction. In a privacy-oriented plugin, unrestricted export increases the risk of sensitive audit data being copied to insecure or unexpected locations, potentially bypassing the user's assumptions about local-only handling and expanding exposure beyond the stated purpose of privacy boundary enforcement.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The router is explicitly configured to use external cloud models and hybrid cloud validation paths, which conflicts with the skill's privacy-first/local-first positioning. In a privacy-sensitive agent, this creates a real risk that user prompts may be sent off-device based on heuristic routing rather than explicit user consent.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy classifier is a narrow keyword check that only looks for a few terms like 'my' or 'personal', so many sensitive prompts can be misclassified as safe for cloud routing. This is dangerous because confidential data, credentials, medical, legal, business, or proprietary content often lacks those exact keywords and could be exfiltrated to third-party providers.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The checklist directs users to publish a public GitHub repository and upload artifacts to Google Drive, but it does not clearly warn that public publication can expose repository contents, release metadata, documentation, and any accidentally included sensitive files. In a plugin that markets itself as privacy-first, this omission is especially risky because users may over-trust the workflow and publish data-bearing artifacts without realizing the exposure surface.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installation guide explicitly instructs users to enable `cloudFallback` and configure third-party cloud models, but it does not clearly warn that prompts or context may be transmitted off-host to an external provider. In a plugin marketed as privacy-first and local-first, that omission is materially misleading because users may assume their data remains local unless they are explicitly told otherwise.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The migration guide includes a destructive `rm` command that deletes local metrics and audit logs without an explicit warning, confirmation step, or safer alternative. In documentation for an agent plugin, users may copy-paste commands verbatim, so this can cause unintended loss of observability and forensic data, especially if the backup step was skipped or failed.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Although the document mentions cloud fallback, it frames the feature as privacy-preserving and repeatedly states that private data never leaves the system, without an equally prominent warning that some requests are still transmitted to third-party cloud providers. This can mislead users into using the skill in sensitive environments under a stronger privacy assumption than the implementation can guarantee, especially since sanitization failures or edge cases could expose sensitive content.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill states that cloud responses are cached locally but does not clearly warn that these cached outputs may contain sensitive derived content, user-intent artifacts, or proprietary information inferred from local context. Persistent local caching expands the exposure window: other plugins, users, backups, or compromised hosts may access historical responses long after the original query completed.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The schema enables remote-affecting behavior by default via automatic model download and, elsewhere in the same config, cloud fallback. In a plugin marketed as privacy-first and local-first, permissive defaults increase the chance that users contact external services without realizing it, which can leak prompts, metadata, or trigger unintended network activity.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The routing schema explicitly supports sending requests to cloud models when local inference fails, but the schema itself does not require any explicit consent or warning mechanism before data leaves the local environment. Given the skill's privacy-first positioning and its handling of potentially sensitive agent context, this mismatch makes accidental data exposure more likely if fallback is triggered.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The hooks on-query and on-response imply automatic interception of all queries and model responses, which can expose sensitive prompts, outputs, and memory updates to plugin code without clear scoping limits. In a privacy-focused infrastructure plugin with read access to agent state files and write access to memory/session state, broad hook activation increases the chance of over-collection, unintended exfiltration via cloud fallback, or persistent contamination of agent memory.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The integrator stores raw cloud response text in a local cache without any consent, disclosure, retention controls, or filtering for sensitive content. In a privacy-first/local-first plugin, this is especially risky because cloud responses may contain reflected prompts, user data, secrets, or regulated information that persists locally and can later be accessed by other components.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This router is designed to choose cloud providers, but the code shown contains no mechanism to warn users or obtain consent before external transmission of query content. In the context of a tool advertised as local-first and privacy-first, silent cloud escalation increases the chance of unexpected disclosure and undermines user trust.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal