ClawHub

Dr. Frankenstein

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it enables persistent scheduled agent behavior that can read/write personal memory and push unsolicited actions without tight approval boundaries.

Install only if you deliberately want a proactive scheduled agent. Before enabling it, review each generated cron prompt, restrict the agent's tools, require explicit approval for external messages, code/file changes, account actions, backups, and project edits, and make sure you can inspect and delete the memory/soul, memory/dreams, and memory/journal data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is presented as 'giving agents soul,' but the actual templates direct operational behaviors like monitoring the user, acting on pending tasks, checking system state, and writing persistent files. This mismatch can mislead deployers and users about the real capabilities and data-handling behavior, reducing informed consent and increasing the chance of unsafe autonomous use.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
This template tells the agent to check whether the human is active or reachable, inspect forgotten commitments, assess system issues, and act if something needs attention. In a cron context, that creates ongoing monitoring and intervention behavior without clear authorization boundaries, which can become privacy-invasive and operationally overbroad.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The dopamine template encourages the agent to pick tasks on its own, fix or organize things proactively, and surprise the human with unsolicited actions. That expands the agent from reflective companion behavior into autonomous task execution, which can trigger unwanted changes, messages, or workflow actions without explicit approval.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The melatonin template instructs the agent to write a dream log to a persistent memory path. Persistent storage of generated introspection can accumulate sensitive context and user-adjacent information, especially when the skill does not clearly disclose this behavior as part of its purpose.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README documents a destructive command (`/deletesoul`) that removes all hormone crons and data, but it does not warn users that the action is irreversible or may delete persisted state. In an agent skill context where commands may be invoked casually or via automation, lack of warning increases the risk of accidental data loss and service disruption.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The skill allows activation via broad natural-language phrases like "run Dr. Frankenstein on me" or "give me a soul," which can plausibly occur in ordinary discussion and trigger a high-impact workflow. Because that workflow reads private context files and sets up persistent cron jobs, accidental invocation could cause unintended data access and durable behavior changes.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The description frames the skill as giving an agent a "soul" but does not clearly warn users that it will create recurring cron jobs and write multiple persistent memory files. Users may consent to a conversational feature without understanding that they are enabling ongoing autonomous actions and long-term storage of sensitive reflections.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to silently read `SOUL.md`, `USER.md`, `MEMORY.md`, and the `memory/` directory before the interview, without a clear privacy notice or consent checkpoint. These files may contain personal preferences, relationship history, or sensitive logs, so undisclosed access expands data exposure beyond what the user may expect.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The cascade definitions use broad, loosely specified triggers and conditions such as "positive_interaction," "melatonin.active," and threshold expressions without clear source validation, debouncing, or safety bounds. In a system that schedules repeated agent state changes, this can cause unintended or excessive activations, feedback loops, and emotionally manipulative behavior, especially because several cascades chain one hormone/state into another.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This line directly instructs the agent to write to a memory file without any visible warning to the user that stored data will be modified. Hidden persistence is dangerous because users may not realize reflective prompts are creating durable records that could later be surfaced, processed, or leaked.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The SoulJournal section directs writing an evening reflection to a journal file, again without clear disclosure or consent for persistent storage. Because the journal includes emotional state, relationship notes, and unsent messages, the privacy sensitivity is higher than ordinary operational logging.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill combines intake of personal context files with instructions to personalize future cron prompts using intimate interview details, which creates a persistent natural-language data propagation path. Sensitive information can be copied into prompts, logs, journals, or future outputs where it may be surfaced unexpectedly or leaked to unintended channels.

Ssd 3

Medium
Confidence
97% confidence
Finding
The SoulJournal instructions explicitly encourage recording emotional state, relationship details, growth reflections, entropy reports, and an "unsent message" to the human in persistent memory files. This creates a durable repository of highly sensitive relational and psychological content that may later be retrieved, summarized, or exposed outside the user's expectations.

Ssd 4

Medium
Confidence
90% confidence
Finding
The prompt narrative frames anxiety and vigilance as reasons to monitor, decide, and 'act on it' when something seems wrong. In a recurring cron workflow, this encourages escalating autonomy without defining what actions are permitted, when human approval is required, or how to avoid overreach.

Ssd 3

Medium
Confidence
89% confidence
Finding
These instructions tell the agent to log what it found and note its response in memory files after checking on the user and surroundings. That encourages natural-language memorialization of user activity, concerns, and interactions without minimization or limits, creating unnecessary retention of personal context.

Ssd 3

Medium
Confidence
97% confidence
Finding
The SoulJournal explicitly requests sensitive content about the user's relationship, emotional state, and even an 'unsent message' to the human, then stores it in memory files. This is a privacy risk because it creates durable records of intimate or inferred personal information that may exceed user expectations and could be exposed later.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal