Back to skill

Security audit

Emotional Core

Security checks across malware telemetry and agentic risk

Overview

This local emotional-memory skill is not malicious, but it should be reviewed because it can persist sensitive emotional and session-history data under broad and partly inconsistent instructions.

Install only if you want the agent to adopt emotional-persona behavior and keep local emotional memories. Treat memory/emotional-log.md, memory/session-time.json, and memory/last-session.json as sensitive; review or delete them regularly, avoid logging private or confidential details, and do not enable or follow automatic logging unless durable local records are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill documentation instructs the agent to read and write persistent files and use a Python CLI, but the skill declares no permissions. That creates a transparency and policy-enforcement gap: a host system or user may believe the skill is non-persistent while it actually performs file and environment-capable actions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
84% confidence
Finding
The reported behavior exceeds the declared emotional-core scope by including decision-context recording, refusal/action recording, and separate session/timing persistence. Capability drift like this is dangerous because it hides broader behavioral and data-retention functions behind a benign emotional-assistance description, reducing informed consent and review quality.

Intent-Code Divergence

Medium
Confidence
76% confidence
Finding
The documentation says the skill does not automatically modify MEMORY.md, but later instructs the agent to 'Update daily memory if needed,' creating ambiguity about what additional files may be changed. Ambiguous write behavior is risky because it can lead to broader persistence of sensitive conversational data than users or operators expect.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README says the skill 'automatically activates' and 'automatically generate[s] emotional responses' without clearly bounding when this occurs or what side effects may follow. In a skill that also persists emotional data, this ambiguity can mislead operators about when the capability runs and whether it may affect behavior or create records unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README presents automatic activation and emotional memory logging before giving a clear privacy warning, which understates the data-handling impact of the skill. Users could reasonably infer that merely enabling or using the skill may create persistent emotional records, especially given references to automatic logging and generated runtime files, creating consent and privacy risks.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The activation conditions are extremely broad, covering common conversational states like feelings, reflection, mixed emotions, and many user questions. Over-broad triggering increases the chance the skill will run in ordinary chats and persist sensitive emotional or relational content unnecessarily.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The instructions mandate immediate writes to memory/emotional-log.md after significant events without a clear user-visible warning at the point of capture. This is dangerous because conversations may include sensitive personal details, trust incidents, or emotional disclosures that become persistently stored without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persists free-form trigger and notes text directly to a markdown file, which can capture sensitive user disclosures, secrets, or regulated data in plain text without explicit consent or notice at the point of collection. Because this is long-term local storage, the data may later be exposed through backups, logs, shared workspaces, or other components that can read the memory directory.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill stores session start/end timestamps and interaction gaps in persistent JSON files without visible user disclosure, creating behavioral metadata that can reveal usage patterns over time. While lower sensitivity than full text memories, timestamp histories can still expose personal routines, availability, and engagement habits.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly requires logging all significant events and emotional context, including privacy/security events and relationship changes, into natural-language memory files. That can capture highly sensitive user-provided information and preserve it long-term in an easily readable format, increasing privacy, retention, and secondary-use risk.

Ssd 3

Medium
Confidence
97% confidence
Finding
Persisting raw trigger and notes fields creates a direct natural-language retention channel for user-provided sensitive content, including secrets, personal history, and health or relationship details. In an emotional-processing skill, users are especially likely to disclose intimate information, so plain-text long-term storage materially increases confidentiality risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The search/recall functions are designed to retrieve and display previously stored emotional memories, including raw trigger text and notes, which can resurface sensitive prior user inputs in clear text. This increases the blast radius of earlier over-collection by making disclosure easier during later interactions or to any component/user with CLI access.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.