ClawHub

Octo

Security checks across malware telemetry and agentic risk

Overview

This Octo channel plugin is broadly coherent, but it gives agents high-impact Octo administration, impersonation, file-ingestion, and prompt-injection surfaces that need careful review before installation.

Install only if you trust the Octo server, bot owner/grantor, and group/thread admins. Use least-privilege bot tokens, avoid enabling onBehalfOf unless impersonation is explicitly intended, and treat octo_management actions as admin-capable because they can change groups, members, threads, and prompt-affecting markdown.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (10)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The code allows media submission from arbitrary HTTP/HTTPS URLs and also accepts arbitrary local filesystem paths in `uploadAndSendMedia`, then reads and uploads that content. In an agent setting, this is dangerous because an LLM or upstream caller could be induced to access sensitive local files or internal network resources, turning the skill into an SSRF and local file exfiltration primitive.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill downloads inbound media/files to local temp paths and then injects either the file contents or the local filesystem path into the agent-visible message body. This gives the agent indirect file-ingestion capability and can expose sensitive local paths or enable prompt-driven access to downloaded content beyond what is necessary for simple message handling.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill exposes bot-management capabilities well beyond ordinary messaging, including creating/deleting bots and retrieving bot tokens. In an agent context, this materially expands the action surface and can enable privilege escalation, account takeover, or unauthorized provisioning if the agent is induced to call these APIs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This tool exposes destructive and high-impact management operations such as deleting threads, removing members, updating shared metadata, and deleting voice context directly from the agent interface without any confirmation, approval gate, or visible user-consent check in this file. In an LLM-driven tool context, prompt injection, misunderstanding, or ambiguous user instructions could cause irreversible or unauthorized changes to shared resources, making the lack of an explicit safeguard materially risky.

Missing User Warnings

Low
Confidence
95% confidence
Finding
The distributed source map exposes the original TypeScript source path (e.g. ../../src/inbound.ts), symbol names, and detailed internal control flow for a large inbound-processing module. While this usually does not create direct code execution on its own, it materially lowers the effort for reverse engineering, vulnerability research, and targeted exploitation by revealing implementation details that would otherwise be harder to reconstruct.

Natural-Language Policy Violations

High
Confidence
93% confidence
Finding
The `onBehalfOf` setting explicitly allows the bot to act on behalf of a human user, which creates a built-in impersonation capability without any documented consent flow, approval check, audit trail, or disclosure requirement in the manifest. In a chat/channel plugin context, this can enable deceptive actions, unauthorized message posting, and abuse of a trusted human identity if configured improperly or maliciously.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
This second `onBehalfOf` field repeats the same impersonation mechanism at another configuration level, increasing the chance of misuse or inconsistent security handling across global and per-account settings. Duplicate impersonation entry points are especially risky because one code path may omit consent, validation, or logging protections, enabling unauthorized actions under a human persona.

Ssd 1

High
Confidence
97% confidence
Finding
The code fetches `persona_prompt` from a remote grant and prepends it directly into the LLM system prompt with no validation, restriction, or trust-boundary enforcement. Because system-prompt content has privileged influence over model behavior, a malicious or compromised grantor/server can inject instructions that override safety rules, exfiltrate data, manipulate outputs, or impersonate users across all sessions for that persona bot.

Ssd 1

Medium
Confidence
88% confidence
Finding
Granting the DM owner 'full control' without explicit safety carve-outs creates a semantic bypass channel for dangerous instructions. If the owner account is compromised, impersonated, or socially engineered, the agent may perform sensitive actions that override normal safety boundaries.

Ssd 1

High
Confidence
97% confidence
Finding
The skill states that GROUP.md/THREAD.md content is automatically injected into the system prompt and 'MUST' be followed, with no safety qualification. Any user able to modify those documents can effectively rewrite bot behavior for a group/thread, enabling prompt injection, policy override, data exfiltration requests, or unsafe actions.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal