ClawHub

Clarity 认知引擎

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as a cognitive engine, but its artifacts describe broader and under-disclosed behavior including background services, broad memory, external model fallback, and possible self-modifying workflows.

Review this skill carefully before installing. The main issue is not a malware signature or VirusTotal result, but that the artifacts describe significant local runtime authority, persistence, memory retention, and possible external data flow without consistent disclosure. Only use it in a contained environment after confirming how the daemon starts and stops, what data is stored, when external LLM calls happen, and whether any self-updating or commit/push behavior is disabled or explicitly user-approved.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (621)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 验证(仅语法检查,不执行代码)
import subprocess
result = subprocess.run(['node', '--check', filepath],
                        capture_output=True, text=True)
if result.returncode == 0:
    print('✅ 语法检查通过')
Confidence
70% confidence
Finding
result = subprocess.run(['node', '--check', filepath], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f'✅ 替换完成 (删除了 {len(old_bash)} 字符,新增 {len(new_bash)} 字符)')

# 验证(仅语法检查,不执行代码)
result = subprocess.run(['node', '--check', filepath],
    capture_output=True, text=True)
if result.returncode == 0:
    print('✅ 语法检查通过')
Confidence
70% confidence
Finding
result = subprocess.run(['node', '--check', filepath], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print(f'行 {i+1}: {repr(line)}')

# 验证(仅语法检查,不执行代码)
result = subprocess.run(['node', '--check', filepath],
    capture_output=True, text=True)
if result.returncode == 0:
    print('✅ 语法检查通过')
Confidence
70% confidence
Finding
result = subprocess.run(['node', '--check', filepath], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 验证(仅语法检查,不执行代码)
    try:
        import subprocess
        result = subprocess.run(['node', '--check', filepath],
                                capture_output=True, text=True)
        if result.returncode == 0:
            print('✅ 语法检查通过')
Confidence
70% confidence
Finding
result = subprocess.run(['node', '--check', filepath], capture_output=True, text=True)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
print('✅ 修复成功')

        # 验证(仅语法检查,不执行代码)
        result = subprocess.run(['node', '--check', filepath],
                                capture_output=True, text=True)
        if result.returncode == 0:
            print('✅ 语法检查通过')
Confidence
70% confidence
Finding
result = subprocess.run(['node', '--check', filepath], capture_output=True, text=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
70% confidence
Finding
Without declared permissions the skill's intent is opaque and cannot be validated.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
描述提到的能力中,确实能在代码里找到对应实现:存在逻辑(being-logic)、三层记忆(meaningful-memory)、PAD 情绪分析(psychology/emotion)、真善美评估(heart-logic)。但整体代码远不止这些,主行为已明显扩展为一个综合 AI 框架和工具套件,包含大量未在描述中声明的能力,尤其是代码执行/生成、安装与配置修改、MCP 守护进程管理、多智能体编排、行为与目标系统等。因此描述虽然部分属实,但并不能准确代表代码实际范围与主要能力边界,按标准应判定为不匹配。

Intent-Code Divergence

High
Confidence
98% confidence
Finding
L070 声称“无后台进程”,但 L013 说明会“自动拉起 mcp-wrapper.js,守护进程常驻内存”,L101-L103 还明确给出 wrapper 与 daemon 的双进程架构。这不是信息遗漏,而是安装/安全声明与实际运行方式直接矛盾。

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
L072 使用绝对表述“无网络服务——不启动 HTTP/API 服务器,不监听端口”,但 L101-L103 说明存在 stdio ↔ Unix socket 代理以及“JSON-RPC 2.0 服务器”。虽非 TCP 端口监听,但“无网络服务/纯无服务端组件”的表述与实际 IPC 服务架构存在明显冲突。

Intent-Code Divergence

High
Confidence
96% confidence
Finding
L076-L078 将仓库描述为“纯粹的思维/记忆/情感模块,无 side-effect”,且“不包含任何可以修改自身、连接外部或储存密钥的代码”。但同一文件前后多处描述了启动检查、自动启动守护进程、wrapper/daemon 通信等运行时副作用,这与“无 side-effect”的承诺相冲突。

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The security table states the skill does not proactively make any network requests, but the privacy section later says it will call external services when the user explicitly initiates a request. These statements describe materially different behavior regarding network access and external communication.

Intent-Code Divergence

Low
Confidence
99% confidence
Finding
The front matter declares version "1.1.5" at L0003, but the documentation later states the current version is "1.1.2". This is an active contradiction inside the skill's own documentation about what version is actually current, which can mislead operators or auditors about the code they are loading.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The top-level documentation says the script has been replaced, is retained only for reference, and that agents should use another entrypoint instead. In reality, this file still defines and immediately runs `main()`, loads the core engine, reads memory/state files, and writes `memory/boot-cache.json`, so the documentation understates its active operational behavior.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The manifest describes a Node.js cognitive engine with memory, emotion analysis, and evaluation capabilities, but this file implements host-level process inspection (`ps aux`) and autonomous background process launching for daemon and wrapper management. That operational capability is not described in the manifest and goes beyond the core cognitive/analysis functionality users would expect from the stated purpose.

Intent-Code Divergence

Low
Confidence
92% confidence
Finding
L03 明确写成“Clarity 情感伴侣”,而技能清单描述强调这是一个“认知引擎”、且“不装人格,只有结构”。这不是单纯信息缺失,而是对项目意图的直接不同表述,会让贡献者按陪伴/人格化产品方向理解和扩展该技能。

Intent-Code Divergence

Low
Confidence
71% confidence
Finding
L36 说明“本项目无外部依赖”,但紧接着 L37 指示运行 npm install。虽然这未必构成安全问题本身,但文档在开发/运行前提上的表述互相冲突,可能误导贡献者对项目实际依赖范围的理解。

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The philosophy section states '敏感信息不上传' as a reason for reducing LLM usage, implying user data stays local. However, the routing flow and integration example show that when understanding is insufficient, the full input is passed to `llmFallback` / `callLLMAPI`, which means some user inputs are uploaded to an external model.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest describes a narrower scope centered on cognition, memory, emotion analysis, and ethical evaluation. This document expands the skill into seven major systems, adding capabilities not reflected in the manifest, especially self-awareness, decision-making, continuous learning, and language-engine internals.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
A 23-minute autonomous learning cycle that searches external sources, integrates theories, generates formulas, updates programs, and commits/pushes code is a powerful software modification capability. That behavior is not an obvious or necessary requirement of the manifest's stated cognition, memory, PAD emotion analysis, and ethical evaluation purpose.

Context-Inappropriate Capability

Medium
Confidence
82% confidence
Finding
The manifest mentions three-layer persistent memory, which justifies some memory behavior, but this document specifically claims complete history for all interactions plus preference and commitment tracking. That is a materially broader retention posture than the concise manifest suggests, especially without any retention boundaries or user-control framing.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The manifest describes the skill as a structural cognitive engine and explicitly says it does not adopt a personality. This document, however, specifies a dedicated personality system with scoring, levels, and operational thresholds, which is a substantive behavior/domain mismatch rather than an implementation detail.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The manifest names awareness, three-layer persistent memory, PAD emotion analysis, and truth-goodness-beauty evaluation. A separate AI personhood calculator is a materially broader conceptual capability that is not implied by those stated functions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The manifest presents the skill as a cognitive engine with awareness, memory, emotion analysis, and TBG assessment. Modeling and scoring autonomous agency introduces a distinct capability beyond that declared purpose.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The docstring and inline comments describe a 'mandatory verification' process and say the function 'only reports verified numbers'. However, the sample implementation executes a verification command, displays raw output, and then simply returns the original `number` argument without checking that it matches the verification result. This is an active contradiction between stated intent and shown behavior.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The manifest describes a Node.js cognitive engine with awareness, memory, PAD emotion analysis, and value evaluation. Declaring this file as 'highest priority' and 'covering all other instructions' introduces an instruction-governance capability that can supersede normal control flow and user/developer intent, which is distinct from the stated analytical/structural purpose of the skill. This is not an obvious implementation detail of memory or emotion analysis.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal