ClawHub

Neron

Security checks across malware telemetry and agentic risk

Overview

Neron is a coherent personal knowledge graph skill, but it gives connected agents broad access to sensitive life data with write, delete, and raw query powers that users should review carefully.

Install only if you trust Neron and the connected agent with private notes, inferred moods, body/substance data, relationships, tasks, and long-term memories. Treat tokens and passwords like secrets, do not place them in shared repos, chats, screenshots, or logs, and rotate them if exposed. Prefer a trusted, user-directed agent and avoid enabling autonomous write/delete/raw-query use unless you are comfortable with possible unwanted disclosure or data loss.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (14)

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The documented `cypher` tool exposes raw Apache AGE query capability, which materially exceeds narrowly scoped personal knowledge graph operations like notes, tasks, and moods. Unrestricted graph query execution can enable broad data enumeration and relationship mapping, and if the backend does not strictly enforce read-only semantics and per-user scoping, it may also permit integrity-impacting or privacy-invasive access patterns.

Context-Inappropriate Capability

High
Confidence
92% confidence
Finding
Advertising advanced raw database querying is not justified by the stated end-user purpose and creates a dangerous mismatch between declared functionality and actual capability. In a personal knowledge graph handling sensitive life data, such an overpowered interface increases the chance of excessive data exposure, misuse by agents, and abuse of undocumented backend behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README describes ingesting highly sensitive personal content such as moods, body state, reflections, and relationships, then making that data queryable by external AI agents, but provides no privacy, consent, retention, or sharing warnings. In this context, omission of those warnings is security-relevant because users may expose intimate data to third-party services or connected agents without understanding the disclosure and persistence risks.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The README advertises powerful write/delete capabilities, including raw Cypher execution and cascading deletion, without warning users that connected agents can modify or destroy stored personal knowledge graph data. This is especially risky here because the system is positioned for use by external AI agents, increasing the chance of unintended destructive actions, prompt-induced misuse, or irreversible data loss.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill is explicitly user-invocable and its description is broad enough to invite activation for many loosely related requests. Because the skill can read and modify a highly sensitive personal knowledge graph, vague trigger language increases the chance of unintended invocation, over-collection, or accidental writes without a clear user request.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states it has access to voice notes, moods, body states, people, tasks, and AI-generated insights, and it encourages full CRUD operations without an upfront privacy warning or explicit consent boundary. In this context, the missing warning is dangerous because users may not realize the assistant can inspect intimate data and create, update, or delete graph records, leading to privacy harm and unintended data manipulation.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The document explicitly instructs users to grant an AI agent read/write access to a personal knowledge graph and highlights destructive capabilities such as update, delete, bulk_create, and raw Cypher execution, but it does not warn about data corruption, unintended writes, prompt-injection-driven misuse, or irreversible deletion. In the context of an autonomous agent skill managing sensitive personal data, omission of these warnings materially increases the chance that users will overgrant permissions and allow unsafe operations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instructions tell users to retrieve a bearer token and place it directly into agent MCP configuration without any guidance on treating it as a secret, avoiding commits/screenshots, limiting exposure, or rotating it after compromise. Because this token grants access to a personal knowledge graph through an agent, disclosure could let anyone with the token read or manipulate sensitive notes, tasks, moods, and related graph data.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The documentation instructs users to retrieve and enter a Telegram ID and password into a third-party connector flow without explicitly warning that these are sensitive credentials that should not be shared, logged, or pasted anywhere except the official auth page. In a skill that bridges a personal knowledge graph into an LLM, unclear credential-handling guidance increases the risk of credential theft, account takeover, and unintended exposure of highly sensitive personal data.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The examples encourage users to issue natural-language commands like "Remember this: ..." that create persistent notes, but they do not clearly warn that this action writes data into long-term storage. In the context of a personal knowledge graph connected to an AI assistant, users may unintentionally store sensitive personal, medical, emotional, or third-party information they assumed was only part of a transient chat.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide tells users they can obtain an MCP token for agent integration but does not warn that this token grants access to highly sensitive personal graph data and must be treated like a secret. In a product that stores journals, moods, tasks, people mentions, and substance-use data, encouraging token issuance without handling guidance increases the risk of accidental disclosure, unsafe sharing with third-party agents, or compromise through prompt/tool misuse.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation explicitly promotes autonomous agent access to a user's personal knowledge graph without a prominent privacy and security warning. Because this graph contains intimate behavioral and health-adjacent information, connecting external agents can expose users to over-broad data access, exfiltration by compromised tools, or unintended retention by third-party services.

Missing User Warnings

Medium
Confidence
80% confidence
Finding
The `delete_entity` operation performs cascading deletion of graph edges, note extractions, and graph nodes, but the documentation provides no warning, confirmation guidance, or safeguard language. In an agentic context, this increases the risk of accidental destructive actions and irreversible loss of user knowledge data from ambiguous or poorly validated requests.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The raw query capability is presented as a normal tool feature without any caution about privacy, integrity, or overbroad access implications. Because the skill stores highly sensitive personal notes, moods, relationships, and reflections, undocumented raw querying is especially dangerous: agents may over-collect data or surface information outside the user's immediate intent.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal