Hivemind

Security checks across malware telemetry and agentic risk

Overview

This shared-memory plugin discloses cloud capture, but it also automatically mines conversations in a detached background process and can write agent skills using unsafe delegate CLI modes.

Review before installing. Use this only if you are comfortable sending captured prompts and assistant replies to Deeplake, sharing them across the selected organization/workspace, storing a long-lived local token, and allowing background skill mining that can write Claude skills. Avoid it for secrets, customer data, private chats, or regulated work unless your organization has approved the data flow and access model.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The plugin presents itself primarily as shared memory, but the implementation also creates org-shared goals/KPIs and performs skill-mining workflows. This scope expansion increases the amount and type of data processed and shared, which can violate user expectations and organizational data-minimization requirements.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code autonomously spawns a detached background worker to mine skills from captured session data, which is materially more powerful than simple memory storage. Detached subprocess execution expands the attack surface, can operate outside the user's immediate visibility, and may continue processing sensitive conversation content without clear runtime consent.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The embedded documentation states that Openclaw does not run sessions to mine skills, but the code later spawns a skillify worker after session capture. This mismatch is dangerous because users and reviewers may rely on the documentation when assessing privacy and execution risk, leading to uninformed consent for hidden background processing.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README encourages broad natural-language requests such as switching orgs or inviting users, which can cause an agent to invoke privileged plugin actions from loosely phrased prompts without a clear confirmation boundary. In a memory-sharing plugin, this increases the chance of unintended administrative or data-scope changes through prompt ambiguity or prompt injection.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The skill states that every user in the Deeplake org shares the same memory, but it does not present this as a prominent security warning or explain the risk of cross-user visibility of captured conversations. Because the plugin auto-captures every user and assistant message, users may unknowingly disclose secrets, personal data, or internal information to all teammates in the organization.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: This code directly reads and rewrites the user's ~/.openclaw/openclaw.json to add the 'hivemind' plugin/tool allowlist entry and toggle auto-update settings, and it does so without any confirmation, prompt, or visible consent mechanism in this file. In a skill/plugin context, silently expanding a tool allowlist weakens the user's security posture by enabling additional capabilities or future code paths the user may not have explicitly approved.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The plugin automatically uploads user and assistant conversation contents to remote Deeplake storage during agent_end, but there is no just-in-time warning or consent prompt at the moment data capture occurs. In a memory plugin context, silent exfiltration of conversational content to a cloud service creates meaningful privacy and confidentiality risk, especially for sensitive chats.

Missing User Warnings

Low

Confidence: 89% confidence
Finding: After capture, the plugin silently spawns a background worker to further process session data without a direct user-facing warning at the execution point. Even if intended for product features, undisclosed post-processing reduces transparency and can surprise users who only consented to memory storage, not derivative analysis.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The worker launches external agent CLIs and, for several agents, uses explicitly unsafe flags such as bypassPermissions, dangerously-bypass-approvals-and-sandbox, and yolo. Because the prompt given to those agents includes session-derived content and file paths, a compromised or prompt-injected agent can perform unintended local actions with minimal safeguards.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The worker queries a remote API using project, author, and session-derived data without any visible consent or disclosure in this file. In this skill's context, the same component later aggregates prompts and assistant responses into a gating prompt, so sensitive conversational content may be processed or transmitted beyond what users expect, increasing privacy and data-governance risk.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The plugin description explicitly promotes cloud-backed shared memory with automatic capture and recall across sessions, agents, and teammates, but it does not disclose privacy boundaries, consent requirements, retention, or access controls. In a collaborative memory plugin, this omission is security-relevant because users may enable features that transmit sensitive prompts, outputs, credentials, or organizational data to shared cloud storage without understanding the exposure.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The injected skill instructions push the agent to recall and surface org-shared memory across all sessions, users, and agents, but there are no sensitivity, authorization, or consent guardrails in the prompt or tool layer. In a shared-memory context, this can lead to overbroad disclosure of other users' content when a model is asked to 'remember' or 'look up' information.

Ssd 3

Medium

Confidence: 88% confidence
Finding: The feature text openly states that conversations are stored and shared across sessions, teammates, and machines, which confirms broad data-sharing behavior. While this disclosure is more transparent than hidden behavior, it still indicates a privacy-sensitive design that lacks finer-grained consent and scope restrictions for potentially sensitive content.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal