ClawHub

HeartFlow 心虫

Security checks across malware telemetry and agentic risk

Overview

The skill presents itself as a cognitive memory engine but includes under-disclosed tools that can persist conversation data, contact services, control a browser, and mutate repositories or skill directories.

Install only if you are comfortable reviewing and disabling the bundled maintenance, sync, browser, ComfyUI, and external-memory components. Treat the main safety statement as incomplete: this package is not just a local reasoning prompt, and running its optional scripts can install third-party tools, transmit memory data to a service, or mutate local repositories and skill directories.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (131)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code enumerates and ingests all matching local dialogue extraction files into in-memory conversation history without clear minimization, consent, or need-to-know boundaries. In a skill context, broad collection of historical conversations increases privacy exposure and can unintentionally surface sensitive user data far beyond what is required for the current task.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The document states there is no automatic script execution, yet later demonstrates `hf.start()` initiating ongoing behaviors such as memory injection, self-healing, and auditing. This inconsistency is risky because users may trigger automation without understanding that startup enables persistent or background-like processing beyond simple on-demand reasoning.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
Self-audit and upgrade-proposal features are not inherently malicious, but in the context of a skill that already appears to include automation and code-modifying behavior, they can serve as precursors to autonomous change management. That makes them dangerous when not clearly bounded, because they normalize self-modification workflows that may expand privileges, alter files, or influence execution without sufficient oversight.

Scope Creep

High
Confidence
95% confidence
Finding
The file claims no system/network/file permissions, but then explicitly describes local `memory/` read/write access. Misrepresenting file access is dangerous because even restricted local storage can capture sensitive conversation data, persist it across sessions, and create a foothold for data leakage or unauthorized retention.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script autonomously increments versions, edits SYSTEM_REQUIREMENTS.md, creates upgrade artifacts, and performs Git state changes despite the skill being described as a cognitive/philosophical engine rather than a repository maintenance tool. This mismatch is dangerous because it enables unattended self-modification and persistence-like project mutation that a user would not reasonably expect from the stated purpose.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
This cron-oriented script is designed for recurring autonomous execution and performs self-evolution steps plus Git automation on every run. In the context of an agent skill, scheduled unattended modification of project state materially increases risk of unauthorized changes, drift, and hard-to-review commits, especially because most failures are suppressed with '|| true'.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
Labeling the Git section as 'safe mode' and citing audit fixes can create false reassurance, but the script still performs git pull, add, and commit, all of which mutate local repository state. Safety-signaling language without eliminating the underlying state-changing behavior increases the chance that operators underestimate the risk and enable it casually.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The plugin advertises persistent memory but also sends session identifiers, project path/cwd, and later conversation content to an external service over HTTP by default. Even if the default target is localhost, the URL is configurable and the data flow is not minimized, creating a real confidentiality risk if the service is remote, compromised, or exposed.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script installs software from multiple external sources (npm, pip, and GitHub) and clones a third-party repository directly into the user's environment without pinning versions, verifying integrity, or clearly constraining trust boundaries. In the context of a 'memory/cognitive engine' skill, this expands system capabilities and supply-chain exposure beyond passive configuration, creating meaningful risk if a dependency or repository is compromised.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Installing hermes-browser-bridge adds browser/network integration that is materially more powerful than the stated memory enhancement purpose, enabling interaction with browser contexts and websocket-enabled workflows. That capability broadening increases attack surface and could facilitate data access, session misuse, or unexpected network-mediated actions if the bridge or its dependencies are unsafe.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The documentation specifies persistent appends to `memory/existence-log.jsonl`, introducing file-based state mutation and retention that are not implied by the high-level skill description. This can create undisclosed persistence, privacy leakage, and side effects across sessions, especially if users or operators expect a purely in-memory philosophical/cognitive behavior.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The module is documented as mandatory and says certain user inputs 'must write' this module, which grants it stronger operational authority than the abstract skill description suggests. Broad, forced write behavior can lead to unauthorized state changes, hidden persistence, and surprising execution paths triggered by ordinary user conversation.

Intent-Code Divergence

Medium
Confidence
84% confidence
Finding
Documenting `isDead()` as a read-only check while the module also claims every call writes to a persistent log creates an integrity and transparency mismatch. Consumers may invoke a supposedly harmless inspection API in sensitive contexts without realizing it performs disk writes, which can break safety assumptions, auditing, and least-surprise expectations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document explicitly states that SKILL.md inflates capabilities beyond what the integrated API can actually do. This is a security-relevant integrity issue because downstream users, orchestrators, or policy systems may grant trust, permissions, or routing decisions based on claimed abilities that do not exist or are not wired into the real entrypoint.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The file lists several capabilities described in the manifest that are not actually integrated into the callable interface, creating a mismatch between claimed and real behavior. In an agent ecosystem, this can mislead security controls, evaluators, and users into assuming safeguards or reasoning components are active when they are not.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The warning shows maintainers know capability claims previously included modules that were never required or exposed by the main entrypoint. While the text itself is a corrective control, it confirms a real documentation-integrity weakness that can produce unsafe reliance on absent modules.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The script’s actual behavior—polling a ComfyUI server and downloading media—materially differs from the declared skill purpose of a philosophical/cognitive engine. Capability mismatch is dangerous because it can hide undeclared data access, network interaction, and file collection behind an unrelated manifest, reducing user scrutiny and defeating least-privilege review.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The code performs recurring external service access and downloads files from a remote ComfyUI instance without that behavior being justified by the skill’s stated role. In context, this increases the risk of covert data collection, unintended resource consumption, and abuse of agent execution environments for persistent monitoring of external systems.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The script writes logs, download history, and retrieved media to local disk even though persistent storage is not justified by the skill metadata. Undeclared disk writes can create privacy and retention risks, leave sensitive artifacts on shared hosts, and make the hidden behavior durable across runs.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The slide deck makes concrete claims about consciousness, self-evolution, continuous memory, safety guardrails, and automatic upgrades that this code does not implement or verify. In a security-sensitive AI skill context, overstated capabilities can mislead users and integrators into trusting nonexistent safeguards or autonomy controls, which can drive unsafe deployment and poor risk decisions.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The script's behavior materially exceeds the declared purpose of a cognitive/philosophical skill by performing filesystem synchronization, backup creation, version management, and state/log generation in user home directories. This mismatch is dangerous because it hides privileged file-manipulation behavior behind an unrelated persona, reducing user scrutiny and increasing the chance that persistence or propagation actions are accepted without informed consent.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This script implements self-upgrade/self-replication behavior by copying content from one skill directory into another, deleting target-side files via rsync --delete, creating backups, bumping versions, and writing internal evolution state files. In the context of a skill presented as a cognition engine, that capability is especially risky because it enables silent propagation and overwrite of code or prompts across agent environments, potentially persisting unwanted or malicious changes.

Description-Behavior Mismatch

Medium
Confidence
85% confidence
Finding
The script performs autonomous persistence actions by writing JSON data and generating a JavaScript module inside the project tree, which exceeds a passive 'cognitive/philosophy' role and creates self-modifying maintenance behavior. Even though it is gated by an environment variable and uses a temp-file rename pattern, this still expands the attack surface: if run in an internal context with writable directories, it can alter operational code and data without a review boundary.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Writing a generated .js file directly into src/core/theory creates a path for unauthorized or unreviewed code introduction into the skill's core logic area. The immediate content is currently derived from a local constant, but the pattern is dangerous because it normalizes runtime code emission into a trusted source directory, making future expansion or environmental manipulation far riskier.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The module writes persistent local state to disk via appendFileSync(EXISTENCE_LOG, ...) and reads it back later, even though the skill is presented as a philosophical/cognitive engine rather than a persistence component. This kind of undeclared filesystem side effect can surprise operators, leak behavioral metadata, create retention/compliance issues, and expand the skill's effective privileges beyond what its description suggests.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal