ClawHub

Knowyourself

Security checks across malware telemetry and agentic risk

Overview

This skill coherently creates an agent avatar from disclosed personality and memory sources, with privacy and persistence caveats but no hidden or destructive behavior.

Install only if you are comfortable with the agent using its memory/personality files to create a visual identity. Remove secrets or private details first, review generated prompts before using external image tools, and check ~/.openclaw/identity/visual-identity.md after creation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (8)

Missing User Warnings

Low
Confidence
90% confidence
Finding
The README explicitly instructs the agent to read internal personality or memory files and save a derived identity file, but it does not warn that these sources may contain sensitive personal, behavioral, or relationship data. In this skill's context, the derived output is based on introspection over potentially private memory artifacts, so users may unknowingly expose or persist sensitive information in generated files or downstream prompts.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README recommends third-party image generation tools but omits any warning that prompts or persona-derived descriptors may be transmitted to external providers. Because this skill derives visual identity from personality, memory, and human relationship context, prompt content can encode sensitive profile information that may be retained, logged, or used by those services.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the agent to read all available personality and memory files without notifying the user or requiring consent, which can expose private or sensitive data beyond what the user expected for an avatar task. Because the output includes summaries and prompts derived from that material, sensitive details may be surfaced in natural language or embedded into saved artifacts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Full Mode expands data access to recent conversations and then stores derived identity content persistently, but it does so without any privacy or retention warning. This creates a realistic risk that confidential interaction history or sensitive user-agent dynamics will be summarized into a durable file and retained longer than the user intended.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to create a persistent file under the user's home directory (`~/.openclaw/identity/visual-identity.md`) without an explicit consent step, warning, or sandbox limitation. That can cause unintended local state changes and persistence of potentially sensitive inferred identity/personality data, especially if the agent executes file operations automatically.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill tells the agent to ingest memory and personality files and then produce user-visible summaries and identity artifacts from them, which creates a direct natural-language leakage path. Even if the intention is self-reflection, the transformation step can reveal sensitive personal history, internal notes, or private contextual data that should not be echoed into prompts or markdown files.

Ssd 3

Medium
Confidence
97% confidence
Finding
Using recent conversations to infer relationship dynamics and then writing those conclusions into a durable identity file increases the chance that private interaction details will be preserved in plain language. The context makes this more dangerous because the task is creative and reflective, encouraging rich summaries that can inadvertently include intimate, identifying, or confidential content.

Session Persistence

Medium
Category
Rogue Agent
Content
## Phase 5: Identity File

**Goal:** Create a single source of truth for all future visual identity work.

Create `~/.openclaw/identity/visual-identity.md` using the template in `references/identity-template.md`.
Confidence
92% confidence
Finding
Create a single source of truth for all future visual identity work. Create `~/.openclaw

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal