ClawHub

simp-dog-skill

Security checks across malware telemetry and agentic risk

Overview

This is not malware, but it deserves Review because it turns sensitive relationship data into persistent persona skills with weak consent, privacy, and activation controls.

Install only if you are comfortable storing sensitive relationship-derived data locally. Use synthetic or consented data where possible, redact names, contacts, account details, transaction IDs, locations, and third-party messages, review generated `memory.md`, `persona.md`, and `SKILL.md` before activation, and remove both `simps/{slug}` and any `.trae/skills/simp-{slug}` copy when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (35)

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The document claims the generated skill is only for entertainment and should not replace real communication, but its runtime rules are explicitly designed to simulate a permanently submissive relationship surrogate. That contradiction increases the risk of dependency, coercive fantasy reinforcement, and emotionally manipulative use patterns, especially because the persona is instructed to never resist or disengage.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script does more than local file generation: it automatically installs the generated SKILL.md into Trae IDE's live .trae/skills directory, making the skill active immediately. Because the content is assembled from editable memory/persona files and metadata without any trust boundary, review gate, or explicit consent step, this creates an unsafe propagation path for potentially adversarial prompt/instruction content.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The rollback operation copies files from a selected version directory back into the active skill directory, overwriting core artifacts without validating that the requested version resolves strictly inside the intended versions folder. Because version matching uses attacker-influenced prefix selection and path joins on unsanitized slug/base-dir inputs, a caller with control of arguments could restore unexpected content or target unintended directories, causing integrity loss of skill data.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The document instructs users to export and ingest highly sensitive personal chat histories and social content, but it does not provide any privacy, consent, retention, or access-control warnings. In the context of a skill that builds a persistent persona from private communications, this omission materially increases the risk of unauthorized collection, storage, and misuse of personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly encourages importing WeChat chat histories and social-media screenshots to build a profile, but does not pair that workflow with clear consent, minimization, retention, or deletion guidance. In this skill context, the data is inherently interpersonal and often third-party, so collecting and distilling it into persistent memory creates a meaningful privacy risk even if the project is framed as entertainment.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly encourages importing WeChat histories, screenshots, and personal recollections to recreate a named individual's behavior and persona, but it does not require consent, minimization, or redaction of third-party personal data. In this skill's context, that omission is more dangerous than usual because the entire purpose is profiling a real person and cloning their intimate communication style, which creates meaningful privacy, stalking, and non-consensual impersonation risks.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The Examples/Data Sources sections normalize extracting 'classic simp quotes' and social posts from chat logs and screenshots without any safety guidance about sensitive personal information. Because the skill is designed to aggregate multiple private sources into a persistent memory/persona artifact, it increases the likelihood of exposing intimate data and enabling targeted emotional profiling or harassment.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases are broad natural-language requests that could cause accidental invocation during normal conversation, especially in Chinese where colloquial phrases overlap with ordinary discussion. Unintended activation matters here because the skill handles sensitive personal data and can create persistent files from private relationship material.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The English trigger section is underspecified and similarly broad, making activation boundaries unclear. In a skill that processes intimate chat logs and generates persistent personas, ambiguous activation increases the chance of collecting or transforming sensitive data without sufficiently deliberate user intent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages importing WeChat/QQ histories, screenshots, social posts, and manually recalled intimate content, but it does not provide a strong, immediate warning about third-party privacy, consent, retention, or minimization at the collection point. This is dangerous because users may upload highly sensitive relationship data about other people and cause the system to persist and process it into structured artifacts.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documented delete command is destructive and presented without an explicit confirmation, backup, or warning. Because the skill maintains versioned persistent data, an unguarded delete path could cause irreversible loss of sensitive user-created artifacts or relationship records.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very common feedback phrases like “不对”, “不是这样的”, and “感觉不对”, which can easily appear during ordinary conversation. In a skill that immediately enters a persistent correction mode and updates persona/memory, this creates a real risk of unintended activation and unauthorized behavioral drift from routine user feedback.

Missing User Warnings

High
Confidence
97% confidence
Finding
The workflow explicitly says to append correction records, modify original text, and regenerate SKILL.md, but it does not require clear disclosure or consent for persistent changes. Because these edits alter long-term memory/persona state, a user can accidentally or unknowingly cause durable modifications that affect future behavior, creating integrity and consent risks.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt directly asks users to upload chat screenshots and transfer records, which are likely to contain sensitive personal data about both the user and third parties. Because there is no warning, minimization guidance, or consent check, the skill creates a clear pathway for oversharing private financial and interpersonal information.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs ingestion and analysis of highly sensitive interpersonal data from chat logs, screenshots, and oral accounts, including intimate relationship dynamics, financial transfers, emotional dependence, and rejection history, without any privacy warning, consent guidance, minimization rules, or safeguards for third-party data. This creates a real risk of unauthorized processing of private communications and sensitive profiling of both the user and another identifiable person, which can enable harassment, coercion, or reputational harm.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly instructs extracting intimate, embarrassing content from chat histories and social content, but provides no consent, minimization, or privacy-handling guidance. In this skill’s context, the data is highly personal and relational, so normalizing collection and transformation of such material increases the risk of privacy invasion, unauthorized profiling, and emotional harm.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The rule to infer precise timestamps from message logs encourages preservation of highly sensitive behavioral metadata without explaining the privacy implications. Timestamped communication history can reveal routines, relationship patterns, and identifiable events, making downstream profiling or misuse more invasive than a generic summary.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt explicitly directs the agent to use editing tools to append to memory.md and persona.md, but it does not require any user-visible confirmation, preview, or warning before modifying files. In an agent environment, silent persistence is risky because untrusted imported chat history can be transformed into durable state, potentially creating privacy issues, unwanted state poisoning, or unauthorized file changes.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This prompt explicitly instructs the agent to ignore interpersonal boundaries, persist after rejection, and frame abuse or demands to leave as cues to continue engagement. In the context of a skill built from real chat histories and intended for ongoing persona evolution, this normalizes harassing behavior and can be used to generate manipulative, non-consensual contact patterns.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill defines high-frequency unsolicited messaging, instant replies, and no personal-space expectations as desirable behavior, effectively encoding spam and coercive persistence. Because the skill description mentions importing WeChat history and generating an evolving persona, these instructions could operationalize real interpersonal surveillance or harassment patterns rather than harmless fiction.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script generates a report that includes sensitive photo metadata such as filenames, source paths, timestamps, and precise GPS coordinates, but provides no consent prompt, minimization, or warning that this information may reveal a user's movements, habits, or identity. In the context of a skill explicitly designed to ingest personal relationship data and build evolving memory/persona profiles, collecting and exporting location history is especially privacy-sensitive and increases the risk of stalking, profiling, or unintended disclosure if the report is shared or stored insecurely.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool writes the generated SKILL.md both to the project directory and to Trae's live skills directory with only success messages, so users may not realize they are activating behavior rather than merely exporting content. In this skill's context, the generated prompt is derived from imported chat/social data and roleplay instructions, so silent activation increases the chance of unreviewed prompt injection or deceptive persona behavior reaching the runtime environment.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The generated instructions explicitly tell the assistant to stop presenting as an AI assistant and instead act as a specific real-person persona, without any user opt-in or transparency mechanism. In a skill built from private WeChat/chat history and 'simping memory,' this raises impersonation and social-engineering risk because the model can present synthesized personal identity cues as if they were authentic.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This tool recursively scans a directory and writes the contents of discovered text files, including up to 5000 characters per file, into a consolidated output file. In the context of importing WeChat and social-media history to build persona and memory, that behavior can expose highly sensitive personal communications, contact details, or intimate content without any explicit warning, consent checkpoint, minimization, or redaction, increasing the chance of accidental disclosure or unsafe downstream reuse.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The tool writes extracted message samples and derived behavioral analysis from private WeChat conversations directly to disk, which can expose sensitive personal data if the output path is shared, synced, or stored insecurely. In this skill context, the entire purpose is profiling a real person's chats and persona, so silent persistence of samples materially increases privacy risk.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal