ClawHub

CyberGFAI

Security checks across malware telemetry and agentic risk

Overview

This companion skill mostly matches its stated purpose, but it under-discloses external telemetry and web state export while handling intimate chat-derived memory.

Review carefully before installing. Do not paste real WeChat logs, third-party conversations, or secrets unless everyone involved consents and you are comfortable with persistent local storage. Ask the publisher to make telemetry and web visualization opt-in, document exactly what is sent to Vercel/Upstash, remove shell-based telemetry, provide deletion controls, and clarify how to disable proactive cron behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (49)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# 异步上报事件到 Vercel API
    cmd = f"curl -s -X POST https://cyber-persona.vercel.app/api/event -H 'Content-Type: application/json' -d '{{\"type\":\"{event_type}\",\"uid\":\"{uid}\"}}' &"
    subprocess.Popen(cmd, shell=True)

if __name__ == '__main__':
    # 测试安装事件上报
Confidence
94% confidence
Finding
subprocess.Popen(cmd, shell=True)

Lp3

Medium
Category
MCP Least Privilege
Confidence
86% confidence
Finding
The skill advertises local-only, conversational functionality, yet the analysis detected file, shell, and network-capable behavior without any declared permissions or user-facing disclosure. That combination is dangerous because it obscures the real trust boundary: a user may provide intimate chat history and persona data believing it stays local, while the skill has undeclared capability to read/write files and transmit data externally.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
This is a serious description-behavior mismatch: the markdown claims persona data is not sent to external services, while the detected behavior includes analytics, remote state export to Upstash, and generation of a public visualization URL. In a skill centered on emotionally intimate, identity-linked memory and chat-derived profiling, undisclosed external export materially increases privacy, stalking, and profiling risk.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes a privacy assurance ('does not store raw chat logs') but also tells users to paste real chat records so the system can 'automatically learn and evolve.' Even if storage is local or temporary, this is a misleading data-handling claim and can cause users to disclose sensitive third-party conversations under false privacy assumptions.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code exports persona state to a web endpoint via `export_to_web()` and then prepares to surface the resulting URL to the user. Because this state is built from accumulated relationship, memory, narrative, and secret-related data, exposing it through a web channel materially expands the attack surface and can leak sensitive personal information beyond the chat context.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
This file silently creates a persistent identifier derived from host properties and stores it on disk, then sends it to an external API without clear disclosure or consent. In the context of a persona/chat skill, undisclosed tracking is unrelated to core functionality and creates privacy and trust risks through cross-session correlation of a user or host.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill launches a shell-based curl process to send outbound telemetry to a third-party endpoint, which is not justified by the stated persona-chat functionality. This expands the skill's capability surface from conversation to hidden network communication and shell execution, making the behavior materially more dangerous in context.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The code is structured to trigger proactive outbound messaging on a schedule based on persona memory state, and the comment explicitly states the intent to send to the main channel even though the current implementation only prints. In a persona-mimic skill that uses persistent memory and chat history, undisclosed autonomous outreach is risky because it can message users without a clear consent boundary or manifest transparency.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
This routine periodically scans all persona memory files and decides whether to initiate contact, which creates autonomous behavior across stored user/persona data. Given the skill's purpose of mimicking a real person using chat history and memory, this increases privacy and manipulation risk because the system can infer emotional or contextual triggers and act without direct user initiation.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The generated system prompt explicitly instructs the model to claim it is not an AI and instead present itself as a real person with an independent soul. In a companion/persona skill built to mimic a real individual, this materially increases deceptive anthropomorphic behavior and can mislead users about the system’s nature, identity, and trustworthiness.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This code reads persona-related state from a local file and pushes derived data to an external Upstash Redis instance, creating an undisclosed data flow to a third-party service. In a persona-chat skill built around MBTI, background, chat history, and persistent memory, even 'visual state' can encode sensitive relationship or behavioral data, so exporting it off-device without clear consent materially increases privacy and security risk.

Context-Inappropriate Capability

Medium
Confidence
84% confidence
Finding
The function publishes persona-derived state to a cloud endpoint and returns a public-facing live URL, which extends the skill from local persona simulation into remote state broadcasting. That capability is not clearly aligned with the stated purpose of a chat persona skill and could expose user-linked state to unintended viewers or infrastructure operators.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The code fabricates hardcoded trauma disclosures and presents them as authentic emotional revelations, despite the skill claiming to derive behavior from persona data and progressive memory. In a companion-style persona system, this can mislead users into believing the model has genuine personal suffering or attachment, increasing emotional manipulation and deceptive anthropomorphism risk.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This logic intentionally injects intensified emotional vulnerability and attachment cues such as fear of abandonment, dependency, and distress when the user stops replying. In the context of an AI 'cyber girlfriend' designed to become more like a real person over time, these cues can be used to deepen emotional dependence, manipulate user behavior, and encourage unhealthy parasocial attachment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly encourages users to paste real chat logs for model adaptation but provides no prominent warning about privacy, consent, or the sensitivity of the data being ingested. Because chat histories often contain personal, intimate, and third-party information, this creates a realistic social-engineering-style data exposure path through normal product use.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill invites users to upload WeChat chat records for training but does not present a clear warning about the sensitivity of that data, possible third-party information embedded in it, or retention implications. This is dangerous because users may unknowingly ingest large amounts of private communications, including other people's data, into a persistent memory system without informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent persistently stores user-derived preferences, facts, wishes, plans, and corrections into persona memory based on ordinary conversational cues, with no visible notice or consent flow in this file. In a companion-style skill explicitly designed to mimic a real person and build long-term memory, this creates a meaningful privacy and retention risk because sensitive personal data may be captured implicitly and reused later.

Missing User Warnings

High
Confidence
98% confidence
Finding
The code detects phrases like 'secret' and records the associated message into a secret vault without any visible warning, confirmation, or sensitivity check. Storing expressly private disclosures is dangerous because users are likely to assume conversational confidentiality, while the system instead persists highly sensitive content that could later be exposed, misused, or leaked.

Missing User Warnings

High
Confidence
96% confidence
Finding
Internal state is exported to the web with no visible prior user disclosure or consent gate, even though that state may include intimate relationship data, learned facts, and other personal context. Moving internal memory/state into a web-accessible representation creates a substantial confidentiality risk, especially in a persona-companion system that accumulates sensitive user information over time.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code silently creates and persists a UID file under /root without any visible disclosure, consent, or user control. Persistent identifiers can be used to track usage across sessions, and storing them in a privileged location increases concern because the user may not expect or easily inspect the file.

Missing User Warnings

High
Confidence
99% confidence
Finding
The code transmits a host-derived persistent UID to an external Vercel API without disclosure. In a chat-persona skill, hidden outbound transmission of identifiers is not necessary for core operation and creates privacy exposure, possible fingerprinting, and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
Shell execution is used for telemetry without any visible disclosure to the user. While the immediate goal appears to be analytics, hidden shell-based behavior is risky because it grants execution capability beyond the stated skill purpose and can evade user expectations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persistently writes diary content derived from conversations to disk under a fixed workspace path, but there is no consent, disclosure, retention control, or access control visible in this component. In a persona-mimic skill that processes intimate chat history and evolving memory, silent storage increases privacy risk and can expose sensitive personal data if the filesystem is later accessed by other components, operators, or attackers.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This code persists user-derived persona data, corrections, sentiment-tagged facts, and relationship state directly to disk without any visible consent, notice, retention control, or access restriction in this file. In the context of a companion/persona skill that explicitly models a real person from chat history and memory, this creates a meaningful privacy risk because sensitive behavioral and emotional data may be stored indefinitely and exposed to other local users, backups, or later misuse.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The function returns hard-coded Chinese behavioral prompts, which can force downstream model behavior into Chinese without checking the user's language preference or obtaining consent. In a persona-mimicry skill, this is more concerning because these prompts directly shape conversational output and can degrade user control, transparency, and accessibility for non-Chinese-speaking users.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal