ClawHub

Echo Seed

Security checks across malware telemetry and agentic risk

Overview

Echo Seed is a real note app, but it automatically exposes notes and links to network services with weak scoping and unsafe defaults.

Install only if you are comfortable reviewing and hardening it first. Run it behind localhost-only access or authentication, avoid sensitive notes and internal URLs, disable or remove automatic Notion/Calendar/AI sync until explicit opt-in controls are added, and fix URL fetching before analyzing untrusted links.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (30)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill advertises no explicit permissions while the documentation clearly indicates capabilities for local file access, persistent storage, and outbound network communication. This is dangerous because users and hosting platforms cannot make an informed trust decision, and hidden capability scope increases the risk of unintended data access or exfiltration once the skill is installed.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The declared description frames the skill as a simple idea-capture tool, but the documented behavior includes running a web server, storing persistent data, exporting content, fetching arbitrary URLs, using AI services, and syncing data to multiple third parties. This mismatch is dangerous because it conceals the true attack surface and privacy impact, making operators more likely to enable a much more powerful service than they intended.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The design materially expands a simple idea-capture tool into automatic AI processing, relation discovery, and external calendar actions that are not implied by the stated skill purpose. This increases data handling, privilege use, and user-surprise risk, especially because processing happens automatically on creation rather than through explicit user action.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
Automatically syncing detected todos to Google Calendar introduces an external side effect that can disclose sensitive user content, create unwanted events, and misuse granted OAuth/calendar permissions. For an idea-capture tool, this is a significant scope expansion with privacy and integrity consequences if triggered incorrectly or without consent.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Automatic link analysis that fetches webpage content adds network-driven behavior beyond simple note capture and can cause the system to retrieve untrusted or sensitive URLs supplied by users. This creates privacy, SSRF-like, and unexpected data-processing risks if URL fetching is not tightly constrained.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The function fetches arbitrary user-supplied URLs with requests.get, creating a classic SSRF-style primitive. In a deployed environment, an attacker could use this to probe internal services, access cloud metadata endpoints, or reach network resources not otherwise exposed; the risk is increased further because TLS verification is disabled in the same path.

Intent-Code Divergence

Low
Confidence
80% confidence
Finding
The code inserts a temporary capsule, calls find_relations, and that path persists relation records for the temporary ID before only the capsule row is deleted. This can leave unintended database artifacts that reveal processed content relationships or create stale records, which is a data-retention/privacy issue even if not directly exploitable for code execution.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The service automatically synchronizes user-entered capsule data to external Notion and Google Calendar services and writes notification payloads for Telegram delivery, which materially exceeds a simple local idea-capture function. This creates a real confidentiality and privacy risk because user content, titles, tags, and reminder metadata are transmitted or staged for onward transmission without an explicit consent gate or clear least-privilege boundary.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatic calendar event creation for todo items is a scope-expanding behavior that can disclose sensitive task titles, descriptions, and reminder times to an external service. In the context of a 'simple and elegant idea capture tool,' this is risky because users may reasonably expect local note storage, not silent creation of third-party calendar events.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
Automatic AI expansion, link analysis, and relation discovery process user data beyond straightforward storage and may invoke additional downstream handling in ai_service, increasing data exposure and unexpected behavior. While likely intended as a feature, it is still dangerous because it operates automatically on newly created content without an explicit trust boundary or user approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The proposal allows automatic Google Calendar synchronization without a clear user warning or consent flow, meaning user content may be transmitted to a third party unexpectedly. Even if well-intentioned, this violates user expectations and can expose sensitive schedule or personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The design calls for automatic AI analysis of all created content and URLs without informing users at submission time that their data will be processed immediately. This lack of transparency is dangerous because it can cause involuntary processing of sensitive notes, links, and inferred metadata.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README advertises URL extraction and AI analysis features but does not warn that submitted URLs and capsule contents may be fetched, processed, summarized, and potentially sent to an external provider. This creates a real privacy and data-governance risk because users may unknowingly submit sensitive internal links, proprietary notes, or personal data to off-system services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The configuration section names a third-party AI endpoint and API key setup but omits any warning that capsule inputs, URLs, extracted page content, and model outputs may leave the local system. In practice this can lead operators to deploy the feature without understanding that confidential workspace content may be transmitted to an external vendor.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises Notion, Google Calendar, Telegram Bot, and optional AI-enhanced features, but does not clearly warn users that their notes, URLs, or derived content may be transmitted to third-party services. In a note-taking tool, users may reasonably enter sensitive personal or work information, so missing disclosure increases the risk of unintended data exposure and privacy violations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented AI link analysis feature suggests users can submit URLs for automatic extraction and summarization, but it does not disclose that fetched content or metadata may be sent to an external AI provider. This is dangerous because private, internal, or tokenized URLs could expose confidential content to third parties without informed consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation promotes Notion, Google Calendar, Telegram, and AI integrations without warning that user notes, links, reminders, or analyzed content may be transmitted to external services. This is dangerous because users may unknowingly send sensitive personal or organizational data to third parties with different retention, access, and privacy policies.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup instructions tell users to place API keys and OAuth credentials into configuration files and the project directory without guidance on secure storage. This is dangerous because secrets may be committed to source control, left in world-readable locations, or bundled into backups and shared archives, leading to account compromise and unauthorized API use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The code sends fetched webpage content and the user-provided URL to an external AI service without any visible notice, consent flow, or minimization. This can leak sensitive URLs, intranet references, tokens embedded in URLs, or copyrighted/private page content to a third party unexpectedly.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-entered note content is transmitted to an external LLM service without clear notice or consent. If users place confidential ideas, credentials, personal data, or proprietary material into the tool, that data may be exposed to a third party contrary to user expectations.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
After creating a capsule, the code immediately calls sync_to_notion with user-provided title, content, and tags, causing external transmission without a user-facing warning or confirmation. This is dangerous because users may enter sensitive notes expecting local storage only, but the application silently exports them to a third party.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Todo reminders are automatically pushed to Google Calendar when reminder_at is present, without any confirmation step in the request flow. This can expose sensitive task names and descriptions to external systems and may create operational side effects users did not intend.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The UI triggers AI expansion, link analysis, and relation-analysis requests using selected user seed data, but the page provides no disclosure that user-authored content or URLs may be transmitted to backend services for processing. This creates a real privacy and consent issue, especially because AI/link-analysis features may cause sensitive notes or external URLs to be sent to server-side systems or third-party model providers without informed user consent.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
Creating a seed sends user-entered title, content, tags, and optional URL to the server, yet the interface does not inform users that this information will be stored or transmitted. For an idea-capture tool, users may reasonably enter personal, confidential, or proprietary notes, so silent submission materially increases privacy risk and undermines informed consent.

Ssd 3

Medium
Confidence
87% confidence
Finding
Having the bot automatically include AI-generated summaries of newly submitted user content in replies creates a natural-language exposure path where sensitive content, inferred details, or hallucinated interpretations are echoed back into chat logs. In messaging environments, those replies may be retained, forwarded, or visible to unintended recipients.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal