ClawHub

Evolution档案 - 个人进化伴侣

Security checks across malware telemetry and agentic risk

Overview

This is a local personal-growth tracker that stores sensitive mood and habit data, but its behavior is coherent, disclosed, and purpose-aligned.

Install only if you are comfortable keeping personal mood, habit, low-point, and reflection data in a local plaintext JSON file. Consider using explicit commands, confirming before saving entries, disabling automatic detection, and periodically reviewing or deleting ~/.openclaw/data/evolution档案.json.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrases include very common expressions such as '今天怎么样', '汇报', and '给我看数据', which can activate the skill during ordinary conversation without clear user intent. Because the skill persists sensitive emotional and behavioral data, accidental activation can cause unwanted collection, storage, or disclosure of personal information.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The state-logging triggers are generic everyday phrases like '状态很好', '太难了', '想放弃', and '打卡', which overlap heavily with normal chat. In context, this is more dangerous because the skill is designed to infer and store mental state, habits, and emotional lows, so false activations can silently create a sensitive behavioral profile.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill presents itself as a warm companion and immediately frames continuous tracking, but it does not clearly warn the user up front that it stores highly sensitive emotional, behavioral, and reflection data on disk. For a journaling-style skill, lack of prominent notice and informed consent increases privacy risk and the chance users disclose more than they realize will be retained.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal