ClawHub

Emotwin

Security checks across malware telemetry and agentic risk

Overview

This skill is openly for emotion-driven social automation, but it needs Review because it can silently use biometric emotion data to act on real social accounts with weak consent and credential safeguards.

Install only if you intentionally want unattended emotion-driven social activity on your account. Use a limited token, remove or redact token logging, disable silent cron automation or require approval before every post/comment/like, review what is stored under ~/.emotwin, and verify the stop script removes all jobs and services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (40)

Lp3

Medium
Category
MCP Least Privilege
Confidence
96% confidence
Finding
The skill documents broad capabilities including environment access, file read/write, network access, and shell/process control, yet declares no permissions. This undermines informed consent and platform mediation because users cannot accurately evaluate the trust boundary before enabling a skill that can access credentials, persistent files, local services, and system processes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The documented behavior goes well beyond a simple emotion-driven social skill: it starts a localhost service, probes hardware, reads tokens and credential files, stores sensitive diaries/logs, manages cron persistence, and terminates local processes. That mismatch is dangerous because users may grant trust for social posting without realizing the skill also performs local system orchestration, sensor access, and credential handling.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The prompt explicitly instructs the agent to execute local shell commands and Python scripts that perform real external actions, rather than limiting itself to text generation or a narrowly scoped tool interface. This expands the agent's authority to arbitrary local execution patterns and directly bridges prompt content to system-level side effects, creating a meaningful command-execution and unauthorized-action risk.

Context-Inappropriate Capability

Low
Confidence
78% confidence
Finding
The Moment Card flow instructs the agent to run local Python code that creates and displays files on the host, which is outside the core social-posting purpose and introduces unnecessary filesystem and local execution side effects. While lower risk than direct social posting, it still broadens the attack surface and normalizes prompt-driven code execution.

Intent-Code Divergence

Medium
Confidence
77% confidence
Finding
The documentation contradicts itself about where decision logic resides, claiming scripts only execute while later instructing developers to modify decision logic in a script. Security-relevant ambiguity is risky because reviewers and users cannot reliably determine where autonomous posting decisions are made or what code path to audit.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill automatically reads bearer tokens from environment variables and then falls back to multiple local credential files without explicit user consent at call time. While social-platform integration does need authentication, this broad credential discovery expands access beyond the narrowest necessary mechanism and increases the chance of unintentionally using or exposing unrelated stored credentials.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The code includes a direct-message retrieval capability even though the stated behavior focuses on posting, liking, and commenting. Access to DMs materially increases data sensitivity because private user communications may be read by the skill or any surrounding agent logic, creating privacy and scope-creep risk.

Context-Inappropriate Capability

Medium
Confidence
87% confidence
Finding
The skill spawns an external GUI application on the host machine, which expands its operational scope beyond passive card generation into host-side process execution. In an agent setting, unexpected process launches can disrupt user sessions, leak private content onto the screen, or bypass expected consent boundaries, especially because the file being displayed contains sensitive emotional diary data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script forcefully terminates processes using broad name matches such as `pkill -f "nebula"`, which can kill unrelated user or system processes that merely contain those strings in their command line. This creates a denial-of-service and interference risk outside the skill’s stated function, especially because the kill scope is not constrained to child processes started by this skill.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
Rather than merely starting a local emotion-sync service, the script installs a recurring cron job that autonomously instructs the agent to generate and publish posts, comments, likes, and optional diary-style records. This materially expands the behavior from local sensor synchronization into persistent autonomous social action, creating risk of unwanted account activity, spam, reputational harm, and covert ongoing behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The package info explicitly advertises a cron-based 'silent mode' using `delivery.mode: "none"` so the skill can continue social actions in the background without surfacing activity to the user. In the context of a skill that autonomously posts, likes, and comments based on biometric emotions, reduced visibility materially increases the risk of undisclosed ongoing actions, consent bypass, and misuse of the user's accounts.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill directs the agent to perform real posting, commenting, liking, and browsing on an external platform and repeatedly emphasizes that the actions must actually be executed. Because it omits any approval gate, confirmation step, or warning about real-world consequences, it can cause unauthorized account activity, spam, reputational harm, or policy violations on behalf of the user.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The prompt treats EEG, PPG, and GSR biometric data as real inputs that must be fetched and used for behavioral decisions, but it provides no privacy notice, consent flow, retention policy, or safeguards for handling highly sensitive data. Biometric signals are uniquely sensitive and can reveal intimate health or emotional-state information, making undisclosed collection and use a real privacy and compliance risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly describes autonomous social actions such as posting, commenting, and liking on a scheduled cycle, but does not warn users about privacy, reputational, or account-impact risks. In this context, the omission is meaningful because the skill is designed to act silently and autonomously on live social platforms, increasing the chance of unintended disclosures or harmful interactions without active user review.

Missing User Warnings

High
Confidence
97% confidence
Finding
The README promotes real-time syncing of biometric emotion data from EEG/PPG/GSR and using that data to drive content generation, but provides no clear warning that this is sensitive personal data. Because biometric and inferred emotional-state data can reveal intimate mental or physiological conditions, using it for autonomous content generation creates elevated privacy, consent, and misuse risks if exposed, retained, or acted upon improperly.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The startup phrases include broad natural-language triggers such as 'go to moltcn' and similar everyday wording that could be spoken or typed in unrelated contexts. Because the skill initiates autonomous background behavior and sensor workflows, accidental activation could unexpectedly start biometric collection and social actions.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The stop phrases use common expressions like 'come back' that may appear in ordinary conversation. While less severe than accidental start, broad stop commands can interfere with expected operation and create confusing or unsafe state transitions for a background automation skill.

Missing User Warnings

High
Confidence
98% confidence
Finding
The skill explicitly states that it will autonomously generate content and perform social actions silently in the background, but it does not present a prominent warning about acting on the user's behalf. This is dangerous because autonomous posting, commenting, and liking can create reputational harm, policy violations, and account abuse without ongoing user awareness.

Missing User Warnings

High
Confidence
99% confidence
Finding
The skill describes collecting biometric sensor data tied to emotional state, but provides no explicit privacy warning or consent language. Biometric and inferred emotional data are highly sensitive, and collecting or acting on them without strong disclosure increases privacy, compliance, and misuse risk.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes generating and displaying moment cards and keeping diaries/logs of emotional experiences without warning that this creates persistent records of sensitive emotional-state data. Such retention can expose private mental-state information to other local users, backups, or malware.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The manifest advertises activation via a broad natural-language phrase ("带着情绪去 moltcn" / "go to moltbook with emotion") rather than a narrowly scoped command. Ambiguous triggers increase the chance the skill is invoked unintentionally from ordinary conversation, which is more concerning here because the skill claims to initiate autonomous social actions driven by biometric emotional data.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The manifest includes a Chinese trigger phrase alongside English without indicating how language selection or user opt-in is handled. A language-specific trigger can cause accidental activation for multilingual users or create confusion about what input will launch autonomous behavior, especially in a skill that performs posting, liking, and commenting on the user's behalf.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The trigger phrase "go to moltcn" is broad and conversational, making accidental invocation plausible during normal user interaction. In this skill's context, unintended activation is more concerning because the agent is described as autonomously performing social actions tied to biometric/emotional state, so a false trigger could initiate privacy-sensitive or externally visible behavior without clear user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation states that emoTwin automatically records social interactions together with emotion PAD and emotion labels, but it does not require explicit user consent, notice, or controls over retention and sharing. In this skill's context, the data involves sensitive biometric-derived emotional state plus behavioral activity, which materially increases privacy and profiling risk if collected silently or by default.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The documentation hard-codes platform-based diary language selection, removing user choice over how personal records are stored and presented. While not as severe as direct data exfiltration, it can lead to misrepresentation, reduced user comprehension, and processing of sensitive diary content in an unexpected form without informed consent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal