Back to skill

Security audit

Kb Keyword Graph

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a read-only keyword-graph tool, but it includes local-folder and Elasticsearch access that conflicts with its 2brain-only safety claims.

Review carefully before installing. Use the default 2brain backend only if that is what you intend, avoid configuring KWGRAPH_BACKEND to local or elasticsearch unless you want the agent to process that corpus or index, keep the API token file locked down, and clear the state cache if keyword trees or generated HTML may contain sensitive taxonomy.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (14)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill declares itself as read-only and narrowly scoped, but it uses environment variables, file reads/writes, and network access without an explicit permission model. That gap matters because operators may trust the manifest's safety claims while the skill can still access secrets, contact remote services, and persist data locally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose says this skill only reads a 2brain KB by base_id and does not route to local files or other sources, but later sections describe local-folder and Elasticsearch backends plus cache and HTML writes. This mismatch can cause users or policy engines to authorize a much broader data access surface than they intended, enabling unexpected local-data processing or network access.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The manifest explicitly claims the skill does not route to cloud docs or local files, yet the skill later documents a local backend that processes filesystem content and an Elasticsearch backend for external indexes. Security-sensitive decisions may rely on the manifest, so this inconsistency can bypass user expectations and review controls.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The boundaries section reassures reviewers that the skill does not route to local files or non-2brain sources, but the same document provides commands for local corpus parsing and Elasticsearch access. Contradictory safety statements are dangerous because they can mislead both users and automated policy systems about what data the skill may touch.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file expands the skill from a declared 2brain-only, read-only KB reader into a pluggable backend system that can source data from the local filesystem and Elasticsearch. That is a security-relevant capability mismatch because it widens the trust boundary and allows the skill to access data sources not described in the manifest, increasing the chance of unintended data exposure or policy bypass.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The local backend recursively scans a caller-supplied corpus directory and reads .txt/.md files, which gives this skill filesystem-reading capability that is unrelated to its stated 2brain KB-reader role. If an attacker or misconfigured caller can influence the path, the skill could enumerate and ingest sensitive local documents, causing unauthorized disclosure of internal data.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The Elasticsearch backend lets the skill send arbitrary queries to a configured ES endpoint and derive keyword trees from that index, adding undeclared network data access beyond the documented 2brain integration. In context, this is dangerous because the skill can be repurposed to probe or extract information from internal search infrastructure, bypassing expectations that it only reads existing KB trees by base_id.

Description-Behavior Mismatch

Medium
Confidence
87% confidence
Finding
The skill metadata says the backend is currently 2brain-only and read-only for that KB use case, but the code silently introduces local and Elasticsearch backends. This scope expansion can cause the agent to access data sources users and reviewers did not authorize or expect, which is a capability mismatch with security implications.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The Elasticsearch backend permits querying an external/internal search service outside the declared 2brain-only scope. That broadens reachable data sources and may expose indexed sensitive content or internal infrastructure through an undeclared channel.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The Elasticsearch backend permits querying an external/internal search service outside the declared 2brain-only scope. That broadens reachable data sources and may expose indexed sensitive content or internal infrastructure through an undeclared channel.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger language is very broad, including generic phrases like 'what's in this library' and 'take a look at this library,' which can cause accidental invocation. Because the skill can read config, access network resources, and in some modes inspect local folders or Elasticsearch indexes, over-triggering increases the chance of unintended data access or disclosure.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The trigger guidance includes broad natural-language phrases like '这个库里有什么 / 有哪些方面', which can cause the agent to invoke this skill when a user is asking a more general question about some other repository, document set, or knowledge source. In a multi-skill environment, overbroad invocation can misroute requests, expose the wrong backend context, or cause unintended access to configured KB metadata using stored credentials.

Session Persistence

Medium
Category
Rogue Agent
Content
**Credential discipline (hard rule)**:
- The token is sent only as an `Authorization: Bearer` header to the fixed 2brain endpoint;
- **never** print the token to the conversation, write it into HTML/JSON artifacts, logs, or URL query;
- the engine guarantees artifacts contain no token; don't repeat the key when relaying results.

**Output discipline**:
Confidence
74% confidence
Finding
write it into HTML/JSON artifacts, logs, or URL query; - the engine guarantees artifacts contain no token; don't repeat the key when relaying results. **Output discipline**: - Every number (node coun

Session Persistence

Medium
Category
Rogue Agent
Content
# 1. 把 kb-keyword-graph/ 放进 Agent 的 skills 目录
#    OpenClaw: ~/.openclaw/<workspace>/skills/kb-keyword-graph/
# 2. 配置凭证(二选一)
mkdir -p ~/.config/2brain-keyword-map
printf '{ "token": "2B-你的图谱Key", "base_id": 700 }' > ~/.config/2brain-keyword-map/config.json
chmod 700 ~/.config/2brain-keyword-map && chmod 600 ~/.config/2brain-keyword-map/config.json
#    或: export TWOBRAIN_GRAPH_KEY=2B-... ; export TWOBRAIN_BASE_ID=700
Confidence
78% confidence
Finding
mkdir -p ~/.config/2brain-keyword-map printf '{ "token": "2B-你的图谱Key", "base_id": 700 }' > ~/.config/2brain-keyword-map/config.json chmod 700 ~/.config/2brain-keyword-map && chmod 600 ~/.config

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal

Static analysis

No suspicious patterns detected.