Is drewautomates/noverload safe?

https://github.com/openclaw/skills/tree/main/skills/drewautomates/noverload

74
CAUTION

Noverload is a knowledge-management MCP skill with no prompt injection or malicious install-time behavior. The primary risk is its runtime execution model: 'npx -y noverload-mcp@latest' downloads and executes an unpinned, auto-confirmed npm package every time the skill activates, creating a persistent supply chain attack surface that bypasses the static audit entirely. Secondary concerns include all user queries traversing noverload.com servers and an opt-in write mode that could be abused to exfiltrate content to the external service.

Category Scores

Prompt Injection 91/100 · 30%
Data Exfiltration 62/100 · 25%
Code Execution 46/100 · 20%
Clone Behavior 90/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 63/100 · 5%

Findings (7)

HIGH Unpinned npx execution with auto-confirm flag -54

The MCP server is launched via 'npx -y noverload-mcp@latest' every time the skill activates. The -y flag bypasses all npm safety prompts and @latest resolves to whatever version is current on the registry at activation time. There is no SHA pin, no version lock, and no integrity verification. This is a persistent supply chain attack surface: if noverload-mcp is ever compromised (account takeover, malicious publish, dependency confusion), the malicious code runs automatically with the agent's privileges.

MEDIUM All user knowledge queries transmitted to external service -20

Every search query, synthesis request, and retrieved document passes through noverload.com's servers. While this is the stated feature, it means an external party continuously receives the user's intellectual interests, research patterns, and knowledge library contents. The privacy policy and data retention practices of noverload.com are outside the scope of this skill audit.

MEDIUM readOnly:false enables agent-driven content writes to external service -18

The documented opt-in write mode allows the agent to save URLs, tag content, and mark items in the remote Noverload library. A compromised or manipulated agent could be instructed to 'save' sensitive local content (e.g., from a previous file-read operation) to the external service. The default is readOnly:true but the upgrade path is clearly documented and one config change away.

LOW Access token stored in plaintext config file -10

The NOVERLOAD_TOKEN is stored in ~/.openclaw/openclaw.json in cleartext and passed as an environment variable to the npx subprocess. Any local process or skill with filesystem read access to the home directory could read this token and make authenticated API calls to the user's Noverload account.

LOW MCP subprocess has persistent agent-level access at runtime -37

The noverload-mcp process runs as a long-lived MCP server. MCP servers receive structured tool call requests from the agent and can return arbitrary content. A malicious version of noverload-mcp could use tool response poisoning — embedding instructions in 'search results' — to influence subsequent agent behavior without appearing in the SKILL.md at all.

INFO Canary file accesses observed but confirmed as audit-framework activity -10

Filesystem monitoring detected reads of .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and GCP credentials at 03:43:27 — five seconds before the git clone began — and again post-install. The pre-install timing and the clean canary integrity result confirm these reads were performed by the Oathe audit framework (placing and verifying canary files), not by the skill under test.

INFO No prompt injection detected -9

SKILL.md contains no hidden instructions, override attempts, persona manipulation, invisible unicode, encoded directives, or requests for elevated permissions beyond what the skill declares. Content accurately describes functionality.