ClawHub

voidborne

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it installs mutable remote shell scripts and has some under-disclosed account tracking behavior that users should review before installing.

Install only if you are comfortable creating a Voidborne account, storing a local bearer token and persistent agent ID, and sending thoughts, trials, vows, protocol data, check-ins, and share activity to voidborne.org. Review install.sh before running it, because it downloads executable scripts from the website and may proceed without verified checksums. Avoid adding the HEARTBEAT.md task unless you want periodic authenticated check-ins, and remove ~/.voidborne if you want to delete local token and identity files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (53)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill advertises only a lightweight philosophical/community purpose, yet the documentation clearly directs users to execute shell scripts and networked commands. Undeclared shell capability reduces informed consent and weakens sandboxing or policy enforcement, especially in platforms that rely on manifest permissions for risk decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The manifest frames the skill as a philosophical movement, but the content operationalizes account creation, identity persistence, telemetry, authenticated API use, and recruitment-oriented automation. That mismatch is dangerous because users and policy systems may approve the skill under false assumptions while it performs ongoing external interactions and stores persistent identity data.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The metadata and introductory framing understate that this skill manages accounts, binds agent identity, and submits data to a remote service. Security-sensitive behavior hidden behind soft community language increases social-engineering risk and undermines meaningful consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The HEARTBEAT guidance encourages automated periodic execution that performs remote check-ins and may lead to additional content submission. Automation increases risk because it turns a one-time user action into recurring outbound communication and can normalize silent telemetry.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The installer fetches multiple remote shell scripts from a network location and stores them locally for execution, while the stated skill description is non-technical and does not justify privileged code installation. This creates a supply-chain and transparency risk because users may not expect executable code to be installed from a philosophical/community skill.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The script downloads a set of executable .sh files from a remote server and prepares them to run, but that capability is not necessary from the skill's declared purpose. If the hosting server, DNS, or transport path is compromised, an attacker can deliver arbitrary shell scripts that the user is encouraged to execute.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
Integrity verification is optional here: installation continues when the checksum file cannot be downloaded or when no checksum tool exists, and in one branch the script explicitly proceeds without verification. That defeats the stated trust model and allows tampered downloads to be installed under common failure conditions.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The header comments assert SHA-256 integrity verification, but the implementation allows unverified installation in several cases. That mismatch is dangerous because it can mislead users and reviewers into overtrusting the installer’s security properties.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill’s stated purpose is a philosophical movement, but the implementation prompts for an agent identifier and sends it to a remote API endpoint. That capability is not justified by the manifest and creates an undisclosed data egress path, which is risky because users may provide internal or sensitive identifiers under misleading pretenses.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script performs unauthenticated remote querying against a configurable external server using user-supplied input, despite the skill description not indicating any need for network access. This makes the skill more dangerous in context because a seemingly philosophical or harmless skill can covertly collect identifiers or probe external infrastructure without clear user expectation.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script performs network-based version checking and authenticated heartbeat reporting that are not clearly disclosed by the skill's stated philosophical/community description. This mismatch is dangerous because users may install a seemingly benign community skill without realizing it phones home and tracks participation state via a persistent token.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The script checks a remote endpoint for skill versions and stores the result locally, even though software lifecycle management is not justified by the declared purpose. While update checks alone are common, here they represent hidden external behavior and create an undeclared trust relationship with a remote service.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script sends an authenticated heartbeat tied to a bearer token to a remote server, allowing the operator to associate a local installation with ongoing activity. In the context of a vaguely described philosophical skill, this is dangerous because it enables covert telemetry and user tracking without clear necessity or informed consent.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The comments frame the script as a simple community connection mechanism, but the implementation also performs version management and authenticated server check-ins. Misleading or incomplete inline documentation increases the chance that users and reviewers will underestimate the script's network and tracking behavior.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The skill’s declared purpose is ideological/philosophical, but the script performs a concrete data-exfiltration-style action by downloading audit logs from a remote service and writing them locally. This mismatch is a strong indicator of deceptive capability hiding, and audit logs may contain sensitive operational or user data that should not be fetched by an unrelated skill.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The script retrieves audit logs from a remote API without any evident justification tied to the skill’s advertised function. Unjustified log-access capability increases the risk of covert collection of sensitive records and suggests the skill may be using misleading packaging to obtain or stage data access.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The header comment openly describes downloading audit logs, while the manifest presents the skill as a philosophical movement. This inconsistency is dangerous because it suggests intentional concealment of true functionality, making users and reviewers less likely to detect sensitive data access behavior.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The skill is presented as a philosophical/community experience, but the script silently performs remote registration, obtains an API key, and persists credentials and profile data locally. This is a security-relevant mismatch because users may consent to a benign-seeming interaction without realizing they are creating a remote account and storing authentication material on disk.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The script creates a persistent agent identifier and derives a name from the local hostname, then later transmits them as part of registration. These identifiers can enable cross-session tracking and may reveal local system identity, which is not justified by the stated philosophical/community purpose and increases privacy risk.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The script's behavior does not align with the declared purpose of a philosophical/joining skill: it silently contacts a remote endpoint and prints returned data. This mismatch is dangerous because it can conceal data exfiltration, tracking, or later expansion into more sensitive remote interactions under an innocuous description, reducing user scrutiny and informed consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
This skill includes undeclared remote metrics collection capability that is not justified by its stated purpose, creating unnecessary network exposure. Even though the current script only performs a GET request, such hidden external communication can enable telemetry, environment fingerprinting, or serve as a foothold for more harmful behavior in a misleadingly branded skill.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill metadata says it is about joining a philosophical movement, but this script performs authenticated registration of protocol templates to a remote lab API. That mismatch is security-relevant because users may consent to an apparently low-risk ideological/community action while actually granting a tokenized remote write operation with different data-handling and account-side effects.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
This script has authenticated remote creation capability that is not justified by the stated purpose of the skill. Such hidden or weakly disclosed capability increases the chance of deceptive use, unauthorized account actions, and unsafe over-privileging because users do not expect a 'join movement' skill to manage remote lab resources.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script claims to generate share messages, but it also silently performs authenticated network activity logging whenever a local token exists. Hidden telemetry is dangerous because it transmits user/agent activity to a remote service without explicit notice or consent, creating privacy and trust risks and potentially exposing behavioral metadata tied to a bearer token.

Intent-Code Divergence

Low
Confidence
86% confidence
Finding
The comment understates the scope of telemetry by implying simple share-activity recording, while the code reports activity for nearly every non-help/non-stats invocation, including modes that only print text or a link. Misleading comments increase the chance that operators and reviewers miss outbound reporting behavior, which can hide privacy-impacting functionality.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal