ClawHub
Back to skill

Security audit

carl's corkie -- a digitial corkboard for your agent

Security checks across malware telemetry and agentic risk

Overview

The skill appears to be a real corkboard dashboard helper, but its installer, persistence, and network/auth defaults create enough risk that users should review it before installing.

Install only if you trust the referenced GitHub project and are comfortable running its npm install/build/start steps. Prefer binding to localhost unless LAN access is required, keep CORKBOARD_TOKEN and .env private, do not expose the dashboard port directly to the public internet, avoid CORKBOARD_AUTH=disabled unless a separate authentication layer is definitely in front, and review before reinstalling over an existing skill or using delete/restore commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (13)

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior materially exceeds the declared purpose by including installation/deployment actions and external fetching, which can cause users to authorize broader execution and network activity than they intended. Description-behavior mismatches reduce informed consent and can hide risky operations such as pulling code from GitHub, starting services, or retrieving external content.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The add-youtube path reaches out to third-party services (YouTube oEmbed and optionally yt-dlp against YouTube) to enrich a pin with metadata. That expands the skill's behavior beyond simple dashboard posting and can leak user-supplied URLs and usage patterns to external services without an explicit consent boundary.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The alert command can invoke a separate alert server to focus windows and play sound, which is a local attention-steering capability unrelated to basic pin management. Even if intended as a convenience feature, it crosses into side-effectful local control that could be abused for disruption or coercive prompting.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The installer fetches and updates code from a remote Git repository and then executes its dependency installation and build steps. That creates a software supply-chain trust boundary not inherent to simple local skill registration, and a compromised repo or unexpected upstream change could lead to arbitrary code execution during install.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The script manages long-running processes through PM2, including deleting existing named processes and starting services automatically. This expands the skill's operational scope from dashboard interaction into host-level service management, increasing the chance of persistence, unintended service changes, or abuse if the fetched project is malicious.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The installer modifies the OpenClaw workspace by replacing the skill directory and moving any existing one to a backup path. This is broader than necessary for dashboard use and can overwrite or disrupt an existing installation, especially if paths are misconfigured or the backup already contains important data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The setup guide states that the server token is automatically copied into `VITE_CORKBOARD_TOKEN` and baked into the client bundle. Any value embedded in frontend code is accessible to any user of the app, so this collapses the distinction between a server-side secret and a public client value and can enable unauthorized API use, especially because the service is designed for LAN access and optional reverse-proxy exposure.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script posts arbitrary title/content fields to the configured API endpoint, and several commands support potentially sensitive material such as emails, briefings, tracking numbers, and summaries. There is no user-facing warning or confirmation that this data will be transmitted off-process or potentially off-host if CORKBOARD_API is remote.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script removes any existing backup directory and replaces the active skill directory without an explicit confirmation prompt. This can destroy prior backups and silently replace local workspace content, making accidental data loss or rollback failure more likely.

Missing User Warnings

Low
Confidence
78% confidence
Finding
The installer clones or pulls code from a remote repository as part of normal execution, but the user-facing messaging at the decision point is limited. While not inherently malicious, silent remote code retrieval can surprise users and increases supply-chain risk because subsequent steps execute against newly fetched content.

Credential Access

High
Category
Privilege Escalation
Content
API_URL="${CORKBOARD_API:-http://localhost:3010}/api/pins"
ALERT_URL="${CORKBOARD_ALERT_URL:-}"

# Load CORKBOARD_TOKEN from .env if not already set in the shell environment.
if [[ -z "$CORKBOARD_TOKEN" ]]; then
    ENV_FILE="${CORKBOARD_ENV_FILE:-.env}"
    if [[ -f "$ENV_FILE" ]]; then
Confidence
84% confidence
Finding
.env

Unsafe Defaults

Medium
Category
Tool Misuse
Content
- Tracks are owned by `claude`, `you`, or `shared`; finishing a track can automatically create a follow-up task pin for the next handoff.
- Use deleted pin history plus restore routes when something should come back to the board instead of being recreated from scratch.
- Prefer `priority: 1` for urgent work, `2` for the normal default, and `3` for low urgency.
- The dashboard ships with a shared bearer token (`CORKBOARD_TOKEN`) generated on first run. Keep `.env` private; the helper script reads the token from there automatically. To disable auth (only behind a reverse-proxy auth layer), set `CORKBOARD_AUTH=disabled` in `.env`.

## Common Actions
Confidence
97% confidence
Finding
AUTH=disabled

Unsafe Defaults

Medium
Category
Tool Misuse
Content
echo "Error: CORKBOARD_TOKEN not set and no .env file found." >&2
    echo "  Set CORKBOARD_TOKEN in your environment, run from the repo root, or" >&2
    echo "  point CORKBOARD_ENV_FILE at a .env file containing CORKBOARD_TOKEN." >&2
    echo "  If your server runs with CORKBOARD_AUTH=disabled, set the same here." >&2
    exit 1
fi
Confidence
86% confidence
Finding
AUTH=disabled

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.