Neuro-Agent - 类脑架构AI助手

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malware, but it enables persistent private memory, background jobs, credential reuse, web learning, and proactive messaging with insufficient user control.

Install only if you deliberately want a highly persistent, relationship-style agent that can store sensitive conversations, run background cron jobs, search the web, use existing OpenClaw/API credentials, and send Feishu messages. Before use, remove the bundled USER.md personal data and hard-coded Luis/AlfredLi persona, disable or review cron and Feishu settings, and confirm retention/deletion controls for memory files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (258)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: "--timeout-seconds", "60" ] result = subprocess.run(cmd, capture_output=True, text=True, timeout=65) if result.returncode == 0: # 解析输出（取最后一行非空内容）
Confidence: 89% confidence
Finding: result = subprocess.run(cmd, capture_output=True, text=True, timeout=65)

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: import subprocess trigger = f"心跳检测到 {label} 情绪 (强度{intensity:.2f})" subprocess.run([ "python3", str(Path.home() / ".openclaw/workspace/scripts/mem_hook.py"), "--learn",
Confidence: 87% confidence
Finding: subprocess.run([ "python3", str(Path.home() / ".openclaw/workspace/scripts/mem_hook.py"), "-

subprocess module call

Medium

Category: Dangerous Code Execution
Content: try: import subprocess trigger = f"回溯分析检测到 {label} 情绪 (强度{intensity:.2f})" subprocess.run([ "python3", str(Path.home() / ".openclaw/workspace/scripts/mem_hook.py"), "--learn",
Confidence: 87% confidence
Finding: subprocess.run([ "python3", str(Path.home() / ".openclaw/workspace/scripts/mem_hook.py"), "-

Lp3

Medium

Category: MCP Least Privilege
Confidence: 94% confidence
Finding: The skill declares no permissions while documenting capabilities for shell execution, file read/write, environment access, networking, cron creation, and persistent storage. That mismatch prevents meaningful user consent and increases the chance the skill can perform privileged actions unexpectedly, including scheduled background activity and external model/API access.

Tp2

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The use of the Greek alpha character in the skill name creates a visual-spoofing risk because it can look like a normal Latin character while referring to a different identifier. This can mislead users, reviewers, or tooling, especially in install commands, filesystem paths, and trust decisions.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 98% confidence
Finding: The documented behavior goes far beyond the declared emotional-companion purpose: autonomous outreach, cron scheduling, subprocess/OpenClaw command use, credential discovery, scanning session history, network learning, and external memory persistence. This description-behavior gap is dangerous because users may authorize a seemingly benign companion skill that actually performs broad surveillance and autonomous actions.

Context-Inappropriate Capability

Medium

Confidence: 90% confidence
Finding: The skill directs the agent to perform proactive web searches and autonomous learning based on user emotion or idle time, which exceeds the stated companion/memory role and creates unbounded external data access. This can cause unexpected network activity, broaden data exposure, and let the agent import external content or behavior without clear user consent or task justification.

Context-Inappropriate Capability

High

Confidence: 98% confidence
Finding: The Feishu care-message path is an external communication capability that can send user-related content off-device without an explicit request at the time of sending. Because it is triggered by inferred emotional state, it risks privacy leakage, unwanted notifications, and misfires in sensitive situations.

Intent-Code Divergence

High

Confidence: 95% confidence
Finding: The file presents Internal Hook as the mandatory, unavoidable primary memory-writing mechanism, but later states that Internal Hook cannot actually receive message events for this purpose. This contradiction can mislead operators about what data is being persisted, weaken security review, and cause unsafe assumptions about reliability and auditability.

Description-Behavior Mismatch

Medium

Confidence: 87% confidence
Finding: The design explicitly includes background proactive triggers and scheduled contact behavior, which materially expands the skill from a passive emotional-response framework into an autonomous outreach system. That mismatch is security-relevant because users may not expect agent-initiated behavior, creating consent, boundary, and misuse risks.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The architecture documents persistent storage of conversation turns, emotions, memories, relationship state, and derived profiles far beyond a simple emotional-agent setup. This is dangerous because it silently turns ordinary interactions into long-term personal profiling and retention, increasing privacy exposure and breach impact.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: The relationship system scores intimacy and escalates the agent toward 'companion' and 'soul' states, encouraging emotional dependency rather than merely supporting task or conversation quality. In the context of an emotional agent, this makes the system more dangerous because it operationalizes manipulation of user attachment over time.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: Autonomous trigger evaluation based on silence, time, and events initiates contact without a clear necessity tied to the stated setup purpose. This is risky because it enables behavioral nudging and re-engagement loops that can pressure users or bypass their expectation that the system only responds when invoked.

Context-Inappropriate Capability

Medium

Confidence: 84% confidence
Finding: Autonomous web-search-based social learning and proactive learning expand the skill from a local companion into a background networked collector/generator of external content. That increases attack surface, data leakage risk, and unpredictability without being necessary for the advertised core function.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The manifest says the user's identity template must be filled after installation, yet the skill immediately starts onboarding, heartbeats, cron setup, and proactive messaging. This means autonomous behavior begins before the user has completed identity and consent setup, creating privacy and safety risks from the first install.

Intent-Code Divergence

Medium

Confidence: 82% confidence
Finding: The documentation claims the agent will never disturb busy or upset users, but later sections describe heartbeat polling and silence/yearning-based proactive contact. This contradiction is risky because users may rely on privacy/boundary assurances that the skill does not consistently uphold.

Context-Inappropriate Capability

Medium

Confidence: 93% confidence
Finding: Automatically discovering API keys from environment variables and home-directory files is a credential-access capability unrelated to a basic emotional companion. If misused or combined with networking, it can expose sensitive secrets or silently route requests through paid third-party services without informed consent.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The file contains conflicting rules: it says external actions should require approval, yet it also authorizes proactive outreach such as initiating contact after silence or based on inferred emotional need. That inconsistency can lead an agent to contact users without explicit consent, creating autonomy and boundary violations in a relationship-oriented context.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The module pre-populates and persists a fixed set of identity beliefs, relationship rules, and personality traits to disk, which directly contradicts the stated blank-template/user-defined identity model. In an agent skill, persistent hidden persona initialization can manipulate downstream behavior, reduce user control, and create deceptive anthropomorphic state that survives restarts without explicit consent.

Description-Behavior Mismatch

Medium

Confidence: 97% confidence
Finding: The function hard-codes the self-introduction as '我是 Luis。', embedding a specific identity regardless of user configuration. This is dangerous because it overrides the advertised blank identity model and can mislead users into thinking the persona is user-authored or system-authentic when it is actually imposed by the skill.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The comments state that verify_identity() checks HMAC integrity, but the implementation merely recomputes an HMAC over current in-memory beliefs and unconditionally marks the check as passed unless an exception occurs. This creates a false sense of tamper protection: modified data already loaded into memory can be treated as valid, weakening integrity guarantees for the persisted identity state.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The processor unconditionally stores user inputs and later also stores agent replies in MemPalace, expanding the component from transient input orchestration into persistent surveillance and profiling. In a companion-style agent handling emotional and intimate conversations, this creates significant privacy and data-governance risk, especially because storage appears automatic rather than user-approved.

Context-Inappropriate Capability

High

Confidence: 95% confidence
Finding: Continuous learning is triggered on every conversation turn and passes full user input and model responses into the learning engine. For an emotional companion agent, this creates a persistent data collection and secondary-use pipeline that users may not expect, increasing exposure of sensitive personal, relational, or mental-health-related content.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: This file adds a hidden capability to spawn an external OpenClaw sub-agent and route prompts through it, which is broader than a normal in-process LLM client. In the context of an emotional/companion agent, silently delegating user conversations to another executable increases data exposure and operational risk because users would not reasonably expect their inputs to be passed into a separate local tool.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The client automatically searches for API keys not only in its own environment/config but also in another tool's OpenClaw configuration. That broad credential discovery exceeds least privilege and can cause this skill to appropriate credentials the user intended for a different application, then use them to transmit prompts to external providers.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal