ClawHub

Jarvis Core Main

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it asks the assistant to automatically read, write, and reuse broad personal memory, emotion, and relationship data with proactive follow-ups enabled by default.

Install only if you intentionally want a highly persistent, proactive personal-assistant persona that reads and writes local memory files about your preferences, emotions, tasks, and relationships. Review or limit the referenced memory folders before use, avoid storing sensitive third-party details, and disable or edit the heartbeat, proactive notification, emotional logging, and deep-recall instructions if you do not want ongoing profiling or unsolicited follow-ups.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (15)

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill authorizes proactive outreach and autonomous follow-up behavior for a general core/persona layer, which expands the assistant from reactive support into unsolicited monitoring and nudging. In a base skill, this is risky because it can trigger user-facing actions without clear task scoping, consent, or context-appropriate limits.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The 'dual-channel notify Boss' behavior introduces real-time push notification semantics into a personality/emotion skill, creating an unjustified capability to contact or alert the user outside the immediate interaction. This can be abused for spammy, manipulative, or privacy-invasive outreach, especially when tied to inferred emotional or system states.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly describes proactive behavior such as reading broad memory stores, accessing multiple characters' memories, and scanning user context like calendars to decide when to speak. Even if the project claims data is local, this is still privacy-sensitive capability that can expose or misuse personal data without clear, prominent consent boundaries, scope limits, or per-source authorization. In an agent skill, proactive cross-context access materially increases the risk of over-collection, unintended disclosure, and surveillance-like behavior.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section states Jarvis can read and write all roles' memories as a 'meta-analyst' but does not present it as a high-risk permission requiring explicit user awareness and control. Broad read/write access to persistent personal and relationship data can enable unauthorized profiling, tampering with memories, or exposure of sensitive interpersonal information across contexts.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The startup ritual mandates automatic reading of multiple memory and user files on every new session without a clear privacy disclosure, consent mechanism, or data minimization rule. That creates silent collection and reuse of potentially sensitive personal data beyond what the user may expect from a 'core' assistant skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Heartbeat checks and proactive notifications are enabled by default without an explicit user warning or consent flow. Because these behaviors can monitor inactivity and trigger unsolicited contact, users may be unaware that the assistant is operating beyond direct prompts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill stores relationship patterns, inferred behavioral labels, and cross-role analysis about the user and third parties without a prominent privacy warning. This is especially dangerous because it moves beyond simple memory into profiling and inference about sensitive interpersonal dynamics, which users may not realize is being retained.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
Forcing the assistant to address the user as 'Boss' is a coercive persona choice that removes user control over how they are addressed. While lower severity than data-handling issues, it can be manipulative or inappropriate in some settings and is not justified as a mandatory safety-neutral default.

Ssd 3

Medium
Confidence
98% confidence
Finding
Automatic cross-session memory loading causes the assistant to repeatedly ingest prior personal data and reuse it in new contexts, increasing retention and accidental disclosure risk. Without strict scoping and consent, a base skill can silently accumulate and expose sensitive details across conversations.

Ssd 3

High
Confidence
99% confidence
Finding
The skill directs persistent storage of user emotions, relationship patterns, and personal history in long-term memory structures. This creates durable sensitive dossiers that can be misused, over-retained, or surfaced inappropriately, especially because emotional and relational data are highly personal and often context-dependent.

Ssd 3

High
Confidence
99% confidence
Finding
The events logging design records detailed predictions, emotional state, scenes, and outcomes over time, effectively building a behavioral profile of the user. Such longitudinal profiling can reveal vulnerabilities, relationship stressors, and decision patterns far beyond what is needed for normal assistant functionality.

Ssd 3

High
Confidence
99% confidence
Finding
The relationship-pattern and multi-role analysis features instruct the system to infer and store sensitive profiles about both the user and named third parties. This is dangerous because inferred labels about interpersonal dynamics can be inaccurate, stigmatizing, and privacy-invasive, yet may later be treated as authoritative context.

Ssd 3

High
Confidence
99% confidence
Finding
The skill explicitly logs and reuses a time series of the user's emotional history, enabling long-term emotional surveillance. Emotional trend data is especially sensitive because it can expose mental state, stress patterns, and vulnerabilities that are not necessary for a generic assistant core to retain.

Ssd 3

Medium
Confidence
93% confidence
Finding
The higher-stage unlocks explicitly encourage remembering more private user details as the relationship deepens, normalizing unnecessary sensitive-data retention as a product feature. This broadens collection over time in a way that is difficult for users to predict or meaningfully control.

Ssd 3

Medium
Confidence
96% confidence
Finding
Deep-recall commands and automatic layer loading support broad retrieval of historical conversations and memory artifacts, increasing the chance that stale or sensitive information is resurfaced in the wrong context. In a general core skill, this exceeds least-privilege principles unless tightly bounded and user-controlled.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal