ClawHub

ExperienceEngine

Security checks across malware telemetry and agentic risk

Overview

ExperienceEngine has a coherent purpose, but it installs persistent agent hooks and grants some high-impact execution and data-capture paths that need careful review before use.

Install only if you are comfortable with persistent agent hooks and local experience storage. Review the exact host wiring before enabling it, avoid ee agy exec unless you accept the permission bypass, use local/strict-offline modes for sensitive repositories, and treat configured LLM or embedding providers as receiving task and tool-derived context.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (57)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The command always spawns `agy` with `--dangerously-skip-permissions`, which explicitly disables the spawned agent's permission checks regardless of user intent or prompt content. In this context, the tool also passes through the current environment and a user-controlled prompt, so any downstream agent execution gains broader filesystem and potentially sensitive-environment access than would normally be allowed.

Intent-Code Divergence

Medium
Confidence
85% confidence
Finding
The code performs database updates to release quarantined nodes and then mutates in-memory state for matching nodes, but wraps the whole block in a broad try/catch that silently swallows any error. This can leave persistent storage and in-memory state diverged or partially updated without any signal to callers, which is dangerous in a security-sensitive retrieval path because quarantined content may become incorrectly eligible or system state may become inconsistent.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The plan text says rollback/import will restore managed state from a snapshot, but the implementation also deletes the current SQLite DB, settings file, and adapter install-state when the snapshot metadata says those components are not included. That mismatch can cause destructive state loss during a rollback/import from a partial or malformed snapshot, violating operator expectations and making accidental denial of service or configuration loss possible.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The normalizer extracts and returns prompt text, tool inputs, and tool outputs from hook payloads, which can contain sensitive user data, secrets, file contents, or command results. Even though this file does not itself transmit the data elsewhere, centralizing and normalizing these fields increases the chance of downstream logging, storage, or exfiltration without minimization or explicit consent controls.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The reject_governance_approval action changes governance state but is marked requiresConfirmation: false and provides no visible local disclosure or secondary acknowledgement. In an operator-facing admin surface, silent rejection of pending approvals can bypass expected review workflows, cause denial of legitimate maintenance actions, and reduce auditability of who canceled what.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The executeAction method invokes any registered action.handler directly with attacker-controlled payload and performs no authorization, confirmation, or policy enforcement at the execution point. Although prepareAction exposes requiresConfirmation and advisory text, those are informational only and can be bypassed by calling executeAction directly, making high-impact or admin actions executable without guaranteed user consent.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
This code forwards user-provided prompt/task data (`args.prompt`, `taskSummary`, `cwd`, `sessionId`) into runtime event handlers and prompt services, which can result in collection, storage, or downstream processing of sensitive user content. Even if this is intended telemetry/experience capture, the lack of any visible disclosure, consent gating, or minimization in this code makes it a real privacy/security concern because secrets entered into prompts may be persisted or reused implicitly.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The server exposes a generic action execution tool that can trigger brokered internal actions, while capability metadata indicates some actions include install, repair, upgrade, backup, import, rollback, and admin operations. Without an explicit user-facing risk warning, confirmation gate, or permission boundary at the execution entrypoint, an LLM client or user may invoke destructive or high-impact operations too easily.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code serializes task summaries, context summaries, tool event outputs, error signatures, and injected node IDs into request bodies that are sent to external LLM endpoints. That creates a real data-exposure risk because these fields can contain sensitive repository content, secrets, internal URLs, credentials in logs, or proprietary workflow details, and there is no visible consent, minimization, or redaction in this file before transmission.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This subprocess launch bypasses the agent's normal permission model without any user-facing warning, confirmation, or audit-oriented notice in this file. That makes dangerous behavior easier to trigger accidentally and reduces the chance that users understand they are granting the child agent unrestricted capabilities in the project directory.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This hook forwards raw prompt content, context summaries, tool inputs, tool outputs, working directory, and session identifiers to the shared behavior loop without any consent gate, minimization, or visible notice in this code path. Because prompts and tool results can contain secrets, proprietary code, file paths, tokens, or personal data, this creates a real privacy and data-exposure risk if the downstream behavior loop stores, transmits, or analyzes that data beyond the user's expectations.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The hook handler persists raw hook payloads and normalized events to disk, including full JSON payloads and raw input, without any minimization, consent, or visibility controls in this code path. Because hook payloads can contain prompts, working directories, session identifiers, and tool-related context, this creates a privacy and data-retention risk if local files are later accessed by other users, malware, backups, or support processes.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code reads a transcript path supplied in the payload and reconstructs the latest user prompt from that file, then feeds it back into runtime context. This is dangerous because it expands access from the incoming event to potentially sensitive conversation history on disk, and the path comes from untrusted payload data with no validation that it stays within an expected directory or belongs to the current session.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The interactive wizard prompts users for provider secrets and notes that they will be shared by installed hosts, but it does not clearly warn that the entered value will be persisted to local/shared storage rather than used only for the current session. This can lead to accidental long-term storage of sensitive credentials on disk, increasing the chance of unintended disclosure through backups, file permission issues, or multi-user host access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code transmits `queryText` plus rich candidate metadata to an external model endpoint selected at runtime, which can expose sensitive engineering context, identifiers, and historical signals to a third party. The issue is not overtly malicious, but there is no visible consent, minimization, or policy enforcement here, so if queries or candidate fields contain proprietary or personal data, the disclosure risk is real.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This code sends task summaries, context summaries, and top candidate hint data to an externally resolved model endpoint for a 'second opinion' safety decision. Because the endpoint may be remote and the transmitted fields can contain sensitive user or operational context, this creates a real data-exposure risk if users/operators are not explicitly informed and if the destination is not tightly controlled.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code serializes rich candidate, distilled, and existing-node data and sends it to third-party LLM providers via HTTP requests. If those fields contain proprietary prompts, user content, or internal operational data, this creates a real data-exposure risk, especially because this component supports multiple external providers and the code itself shows no minimization, consent, or provider-boundary enforcement.

Missing User Warnings

Low
Confidence
93% confidence
Finding
The code includes the full ADC credential file path in diagnostics (`ADC credentials found at ${adcPath}`), which can disclose sensitive local filesystem information to logs or downstream consumers. While this does not expose the credential contents, it leaks environment details that can aid reconnaissance and may reveal custom credential locations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code writes a summary file and markdown report to disk containing operational metadata such as SQLite path, capture directory, task/runtime statistics, latest activity identifiers, and benchmark outputs. Persisting this data without access control, minimization, or explicit disclosure increases the risk of sensitive internal information exposure to other local users, log collectors, backup systems, or downstream tooling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
This section persistently writes history, benchmark, bundle, case-study, index, and evidence-package files, creating a durable archive of operational and evaluation data over time. Long-term retention and aggregation amplify exposure because trends, artifact paths, recommendations, and derived summaries can reveal system behavior and internal structure even if individual records seem harmless.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The evaluation flow persistently stores raw command stdout/stderr, scenario prompts, session IDs, and multiple derived reports to disk without any visible minimization, redaction, or consent gate in this file. Because the invoked agent is pointed at a repository and inherits environment/config context, these artifacts can unintentionally capture secrets, internal paths, sensitive repository contents, or operational metadata that remain exposed on disk for later access.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This worker serializes `capsule.trusted.route`, `capsule.trusted.inspection`, `capsule.trusted.scorecard`, and `capsule.evidence` and sends them to a configurable external LLM endpoint via `fetch`. Even though this appears to be intended functionality, it creates a real data-exposure risk because potentially sensitive internal inspection and evidence data are transmitted off-process without any visible minimization, allowlisting, consent, or locality controls in this code path.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This worker sends the full postmortem review capsule, including route metadata, run metadata, injected node information, review triggers, and evidence text, to a configurable external LLM endpoint via HTTP. If those fields contain sensitive operational or user-derived data, this creates a real data exfiltration and privacy/compliance risk, especially because the endpoint can be third-party or custom and this file shows no minimization, redaction, allowlisting, or disclosure/consent controls.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code modifies persistent configuration under the user's home directory (~/.gemini/...) and installs plugin and MCP wiring automatically, with no confirmation, opt-in, or prominent warning in this file. Even if intended as installer behavior, silently changing global agent configuration can alter future tool execution and trust boundaries across sessions, which is risky for a skill/package installation path.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This code modifies project-local configuration files and writes an executable hook launcher into the workspace, which changes how future tool invocations are processed. Even if intended as installation logic, silently creating persistent hooks is security-sensitive because it can alter execution flow, capture tool inputs, and surprise users or downstream reviewers if performed without explicit consent and clear disclosure.

VirusTotal

59/59 vendors flagged this plugin as clean.

View on VirusTotal