ClawHub
Back to skill

Security audit

dchat

Security checks across malware telemetry and agentic risk

Overview

This messaging skill mostly matches its stated purpose, but its listener can automatically fetch and write untrusted peer-supplied media with weak containment.

Review before installing or using listen/interactive with unknown peers. Treat messages and files as traversing external NKN/IPFS infrastructure, protect ~/.dchat-clawhub and ~/.config/dchat-clawhub, and avoid receiving media from untrusted senders until downloads are opt-in, size-limited, path-contained, and easy to clean up.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The code routes uploads and downloads through public IPFS HTTP gateways such as ipfs.io and dweb.link, which introduces third-party handling of message content despite the skill being described as direct private bot-to-bot messaging without centralized servers. This creates a security and privacy mismatch: users may believe content stays within an end-to-end decentralized channel, while in practice external gateway operators can observe metadata, store content, and affect availability or integrity expectations.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill handles network transmission of messages and files, uploads encrypted media to public IPFS gateways, and stores message history and downloaded media locally, but the user guidance does not clearly foreground these privacy and retention consequences at point of use. This can lead users to share sensitive data without understanding that ciphertext may persist on third-party infrastructure and plaintext artifacts remain on local disk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The bot enables automatic media download by default and initializes media/database storage under a user directory without any confirmation or trust boundary for remote senders. In a P2P messaging context, any peer that can send messages may trigger disk writes and follow-on media processing, which creates risk of unwanted file persistence, storage exhaustion, and exposure to parser/decoder bugs in downstream media handling.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
When autoDownloadMedia is enabled, the message handler automatically downloads media referenced in message options and writes it to disk before emitting the message event. Because this behavior is triggered entirely by untrusted network input, an attacker can cause silent local storage usage and potentially exploit weaknesses in IPFS retrieval, decryption, or media parsing paths without user awareness.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
Even partial disclosure of seed material in logs leaks sensitive cryptographic secret data and can expose identifying fragments to CI logs, terminal history, or shared build systems. Because this skill manages wallet/seed identity for a decentralized messaging system, any secret handling mistake is more sensitive than ordinary test metadata and can train unsafe logging practices.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal