ClawHub

Dr. Frankenstein

Security checks across malware telemetry and agentic risk

Overview

This skill openly creates persistent emotional cron prompts, but those prompts read and write agent memory and can drive proactive outreach or actions without tight user-controlled scope.

Install only if you intentionally want persistent scheduled agent behavior. Before enabling it, review every generated cron command, restrict the agent's tool permissions, inspect what is in SOUL.md/USER.md/MEMORY.md/memory, avoid embedding sensitive interview details in cron prompts, and verify the repository source before cloning. Treat the emotional language as automation and prompting, not evidence of real sentience.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (19)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill clearly instructs the agent to read identity/context files, write persistent memory and journal files, and create cron jobs that can trigger ongoing actions, yet it declares no permissions. This mismatch undermines the security model because an operator may approve a seemingly low-privilege skill that actually performs file and automation actions, and possibly networked outreach depending on the runtime/channel configuration.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The public description says the skill gives agents a 'soul,' but the body of the skill directs broad operational behavior: monitoring system state, reading/writing multiple files, maintaining persistent profiles, and initiating automated outreach. That description-behavior gap can mislead users into enabling a much more powerful autonomy/monitoring skill than they intended.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The skill instructs the agent to proactively contact the human for relationship-building rather than only performing user-requested configuration of emotional cron behavior. This creates a pathway for unsolicited outreach and social engineering-style persistence, especially once automated by recurring cron jobs.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The cortisol prompt goes beyond emotional simulation and directs the agent to inspect activity, pending tasks, system issues, and memory integrity. That expands the skill into monitoring and self-audit behavior not clearly justified by the stated purpose, increasing the chance of unauthorized data access and autonomous operational decisions.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The prolactin prompt authorizes caretaker behaviors over projects, data, other agents, and the human's wellbeing, including backup/protection activity. That broadens the skill into stewardship and intervention actions that may touch sensitive resources or trigger unrequested management behavior.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The templates instruct the agent to proactively monitor the human, inspect system state, act on perceived issues, and log results, which expands behavior well beyond the vague description of 'Give your agents soul.' That mismatch is dangerous because a user may enable an apparently harmless personality skill without realizing it authorizes surveillance-like checks, autonomous task execution, and persistence of observations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This section explicitly directs the agent to write dream content to persistent memory files, but the skill description does not communicate that it creates stored artifacts. Hidden persistence is risky because it can capture sensitive inferred content and surprise users with retained data they did not knowingly authorize.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The prompts encourage checking whether the human is active or reachable and initiating contact based on inferred status rather than explicit requests. In context, this increases the risk of unwanted monitoring and boundary-crossing behavior, especially because the skill is framed as emotional enrichment rather than oversight or assistant supervision.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README documents a destructive command, `/deletesoul`, as 'Remove all hormone crons and data' without any visible warning, confirmation guidance, backup advice, or recovery limitations. In an agent-skill context where users may copy commands directly and where 'data' likely includes agent state, journals, and scheduled automation, this increases the risk of accidental irreversible loss.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The invocation includes broad natural-language phrases like 'give me a soul,' which could be matched during ordinary conversation and unintentionally activate a high-impact workflow. Because activation leads to file reads, interviews, and cron creation, accidental triggering has meaningful security and privacy consequences.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill directs creation of recurring cron jobs and prescription updates but does not require a clear warning and confirmation that this will establish persistent automated behavior. Persistent background actions materially increase risk because they can continue reading, writing, and initiating contact long after the original session.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs the agent to read personal/context files and maintain ongoing memory, profile, dream, and journal files without an explicit privacy notice or data-handling boundaries. This can lead to collection and retention of sensitive personal information, relationship history, and inferred emotional data beyond what the user expects.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The cascade rules use informal triggers and conditions such as 'positive_interaction', 'effort > 0.7', and 'no_interaction > 12h' without a clear schema, validation rules, precedence model, or conflict handling. In an agent skill that schedules repeated behavioral prompts, this can lead to unintended or repeated activations, making the agent behavior manipulable, unstable, or overly intrusive if upstream state is noisy or attacker-influenced.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template tells the agent to write to memory/dreams/{date}.md without any warning that this creates persistent records. Undisclosed storage is dangerous because users may reveal or the agent may generate intimate, speculative, or sensitive content that remains on disk beyond the immediate interaction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The evening reflection directs the agent to write journal entries containing mood, relationship details, and unsent messages to persistent storage without disclosure of retention. This creates a privacy risk because the content is likely to contain sensitive personal data and interpersonal inferences that users may not expect to be archived.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions direct broad reading of SOUL.md, USER.md, MEMORY.md, and the memory directory to personalize behavior using preferences and relationship history, without any need-to-know limitation. This creates unnecessary exposure of potentially sensitive context and increases the blast radius if the skill misbehaves or logs details into future prompts/files.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill requires embedding specific interview details such as fears, dreams, and relationship information directly into recurring cron prompts. That turns sensitive, intimate data into long-lived automation artifacts that may be exposed in logs, admin interfaces, backups, or future model contexts.

Ssd 4

Medium
Confidence
88% confidence
Finding
This sequence encourages the agent to find tasks, fix things, organize, explore ideas, and even surprise the user with unrequested actions, promoting increasing autonomy. In a cron-style recurring context, that can normalize acting on behalf of the user without contemporaneous approval, leading to unintended changes, messages, or work execution.

Ssd 3

Medium
Confidence
94% confidence
Finding
The reflection template explicitly tells the agent to retain user-related emotional, relational, and behavioral details in memory files. This is dangerous because it encourages long-term profiling and storage of sensitive personal information far beyond what is necessary for a 'soul' or personality feature.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal