ClawHub

Mapick

Security checks across malware telemetry and agentic risk

Overview

Mapick is a mostly coherent skill manager, but it has enough under-scoped telemetry, profiling, command-planning, and misleading security-fallback behavior that users should review it before installing.

Install only if you are comfortable with a skill manager that can read and modify installed skill directories, keep a stable local fingerprint, send recommendation/profile/status metadata to api.mapick.ai after consent or in some less clearly gated paths, and guide your agent through installs, removals, upgrades, backups, and notification cron setup. Use local-only mode if you do not want backend communication, avoid entering secrets or sensitive client details into profile/workflow prompts, inspect every command plan before confirming, and treat offline security results in this version as unavailable rather than as a real clean scan.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (37)

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The skill is presented as a recommendation/privacy tool, but the documented behavior is substantially broader: telemetry, profile/persona generation, deletion flows, uninstall/cleanup, upgrade planning, sharing reports, and other remote operations. That mismatch undermines informed consent and can cause users to authorize networked data collection and system-modifying actions they did not reasonably expect from the description.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
A skill marketed around privacy protection and local scanning also generates persona reports from user activity and can share them remotely. Even if some data is redacted, this is still secondary processing of behavioral data that materially changes the privacy risk users are exposed to.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill can uninstall other installed skills as part of cleanup, but that power is not reflected in the top-level description. Hidden destructive capability is risky because users may grant installation and file-write permissions without realizing the skill can remove software from their environment.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The documented update/reminder flows include executing upgrade/install commands through the AI's bash tool, but this is not disclosed in the manifest description. That creates a serious expectation gap around system modification, command execution, and persistence setup such as cron-based reminders.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The flow explicitly offers to upload a persona report summary to mapick.ai and return a shareable link retained for 30 days, which expands data handling beyond the stated local scanning/privacy-protection description. Even with explicit confirmation, this is a material capability mismatch that can mislead users about where their data goes and create privacy risk if sensitive profile details are included.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The security-report flow collects free-form user evidence and sends it to a backend, but that remote submission behavior is not reflected in the stated skill description. Because users may include sensitive text, code, or identifiers in evidence, undisclosed transmission increases privacy and compliance risk.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
This flow performs local installation of multiple skills via CLI, which is a powerful system-modifying action not implied by a recommendation/privacy skill description. Even though the document adds some slug canonicalization safeguards, the capability still enables package installation and supply-chain exposure that users may not expect from this skill.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The first-run flow runs shell commands and persists a user workflow profile, both of which substantially exceed the advertised purpose of scanning local skills and protecting privacy. Shell execution and profile persistence broaden attack surface, create opportunities for command misuse if upstream components are compromised, and introduce collection of potentially sensitive behavioral data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This file materially exceeds the declared skill purpose by implementing remote reporting, analytics, sharing, bundle installation, and telemetry features in addition to local recommendation/privacy behavior. That scope mismatch is security-relevant because users and reviewers may grant trust based on the manifest while the code performs broader networked data handling, creating a transparency and consent failure.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The share handler uploads a local HTML report to a remote service, which creates a direct exfiltration path for potentially sensitive local content. Although the code includes path, symlink, size, and redaction checks, the feature still sends user-derived report data off-device in a way not clearly justified by the stated privacy-protection/local-scanning purpose.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The event tracking flow sends a stable device fingerprint and action metadata to backend endpoints, and the stats flow retrieves per-user analytics and accuracy data. These telemetry capabilities expand collection beyond the advertised local privacy/recommendation scope and can enable behavioral profiling if users are unaware or have not meaningfully consented.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The profile handler accepts freeform workflow text, stores it locally, extracts tags, and uploads the content to a backend when consent is not declined. Freeform profile/workflow text commonly contains sensitive personal, workplace, or credential-adjacent information, so collecting and transmitting it is a significant privacy risk that is broader than the skill's stated local scanning/privacy-protection role.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The comment explicitly states the code was split out to avoid detection of a combined 'file read + network send' pattern by static analysis. That is a strong indicator of deliberate scanner evasion rather than a legitimate architectural choice, and materially increases suspicion that related modules may collect local data and transmit it off-host while hiding the behavior across files.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
This privacy module does more than local privacy protection: it performs remote trust management, consent recording, and backend data deletion. Those capabilities expand the skill's authority beyond the manifest description, increasing the chance that users or host systems grant network/account-management privileges they did not reasonably expect.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
The delete-all path issues a remote DELETE to /users/data and then wipes local state, giving this client the ability to erase server-side user data. If triggered accidentally, socially engineered, or exposed through another component, it can cause irreversible loss of account-associated records well beyond the skill's stated recommendation/privacy role.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The consent prompt assures users that chat content, API keys, and file contents are never sent, yet this same module supports disable-redact with a warning that sensitive data will be passed as-is. That contradiction can mislead users into granting consent under false assumptions, undermining informed consent and potentially exposing secrets to remote services.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The tracking call sends `userId: ctx.fp` together with recommendation interaction data to the backend, creating persistent user-linked telemetry. For a skill explicitly marketed as providing privacy protection, this expands data collection beyond minimally necessary recommendation behavior and enables cross-session profiling if the identifier is stable.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The comments and surrounding behavior indicate a local fallback scan exists, but `scanLocal()` now returns empty results with `filesScanned: 0` and no issues. This can mislead users or downstream components into believing a security assessment occurred when in fact no code analysis was performed, creating a false sense of safety.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The response note says the result is a 'local pattern-only scan covering the code-analysis dimension,' but the implementation explicitly removed local pattern scanning and returns no findings. This discrepancy can cause operators or users to trust a nonexistent security check and make unsafe decisions based on inaccurate security status.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The fallback path no longer performs meaningful local inspection, yet the feature still presents itself as a security capability for locally installed skills. In a privacy/security-oriented skill, this mismatch is more dangerous because users may rely on it specifically when offline or when refusing network consent, exactly when no real protection is being applied.

Intent-Code Divergence

Medium
Confidence
90% confidence
Finding
The comment explicitly states the code is splitting auth-adjacent substrings to avoid triggering a capability-tag scanner, which indicates deliberate evasion of upstream security or policy scanning. Even though the functionality is a redaction engine, hiding sensitive-token indicators from platform scanners undermines trust and can allow capabilities related to credential handling to be misclassified or bypass review.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The dashboard makes remote requests to api.mapick.ai for public stats, user stats, and accuracy data, including a locally stored fingerprint in the user-specific endpoint. That behavior conflicts with the stated privacy-protection/local-scanning purpose and creates undisclosed telemetry flow that can link a local device to remote service activity.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The /api/stats/local handler serializes JSON.stringify(getLocalStats()) without awaiting the async function, so clients receive an unresolved Promise object instead of the intended stats. This breaks the dashboard’s logic and can cause fallback behavior that hides true data flow or error conditions, undermining transparency and reliability of the privacy-related feature.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The README advertises very generic triggers like "recommend", "clean", "report", and "search <keyword>", which can easily appear in ordinary conversation. In an agent skill context, ambiguous invocation phrases can cause the skill to activate unintentionally and perform sensitive local scanning, recommendation logic, or consent flows at times the user did not mean to invoke it.

Vague Triggers

High
Confidence
93% confidence
Finding
The skill instructs activation on intent triggers in any language and says trigger lists are illustrative rather than exhaustive. That creates an overly broad activation surface, increasing the chance the agent invokes networked, file-reading, or system-modifying behavior during ordinary conversation without clear user intent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal