ClawHub

Lens

Security checks across malware telemetry and agentic risk

Overview

Lens is a disclosed personalization skill, but it should be reviewed carefully because it creates recurring jobs that mine local chat history into a persistent identity profile.

Install only if you intentionally want a long-running local personalization system built from your OpenClaw conversations. Before enabling it, review the cron jobs and the .lens files, consider setting anonymize to true in .lens/SCOPE.json, mark sensitive messages with #private, and remove lens-distillation/lens-interview cron jobs if you do not want background processing.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (29)

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The skill markets itself as a persona/style adapter, but its documented behavior includes persistent local state creation, recurring cron scheduling, and ongoing access to session transcripts. That mismatch can defeat informed consent: a user may invoke it for tone adaptation without realizing it will continuously ingest chat history and maintain surveillance-like background processing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt instructs the agent to run a local script via an execution tool and modify a cron job, which are privileged system operations unrelated to the declared purpose of modeling a user's perspective. This creates a path for unauthorized code execution and persistence, especially because the triggering condition is based on prompt content rather than explicit user consent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill exceeds its stated role by directing operational maintenance and persistent profile-state changes rather than just analyzing expression or perspective. Mixing identity modeling with system maintenance increases attack surface and makes it easier for a prompt to justify actions that alter local state without clear necessity.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt instructs the agent to invoke a local Node.js script and then potentially reconfigure a cron job, which are privileged system-management actions unrelated to merely asking the user an interview question. In an agent skill, this creates an unsafe bridge from conversational prompting into code execution and persistence mechanisms, increasing the risk of unauthorized task execution, environment tampering, or persistence establishment.

Intent-Code Divergence

High
Confidence
95% confidence
Finding
The skill claims the turn is 'data acquisition only' and prohibits modification, but earlier instructions tell the agent to update a cron job. This contradiction is dangerous because it can mislead reviewers and operators about the skill's real capabilities, making risky side effects easier to hide or overlook.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The bootstrap code reads a user-specific configuration file from the home directory to derive timezone, which expands the skill's access beyond its stated persona/perspective purpose. While timezone itself is low sensitivity, this establishes unnecessary access to user-level configuration and normalizes cross-skill inspection of local state without clear disclosure or consent.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill advertises itself as a perspective/persona mechanism, but the bootstrap routine silently provisions recurring autonomous jobs for interview and distillation. This capability mismatch is dangerous because users or reviewers may grant trust based on the description while the code installs persistent behavior that can trigger later prompts, file reads, and model actions outside the immediate user request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
This script collects recent user chat messages from a fixed sessions directory under the user's home folder and writes a distilled trace to `.lens/TRACE.txt`, which is materially broader than the stated purpose of simply expressing a user's perspective. Even with some filtering and redaction, it performs undisclosed local history harvesting, creating a privacy and data-minimization risk and enabling unintended cross-session data reuse.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code reads `.jsonl` session files from `~/.openclaw/agents/main/sessions` based solely on local presence and recency, without demonstrating that such broad access is necessary for the skill's advertised function. In the context of a skill framed as adopting a user's 'lens,' this hidden access is more dangerous because users are likely to interpret it as stylistic personalization, not filesystem-level collection of prior conversations.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The template solicits extensive identity and life-context data, including digital identities, assets, chronology, household, and relationships, that goes well beyond what is necessary for a skill whose stated purpose is to help an agent reflect a user's perspective. This creates unnecessary collection and retention risk, expands the attack surface for profiling or misuse, and violates data minimization principles.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The template explicitly requests highly sensitive categories of personal data, including biometrics, medical context, geolocation, family structure, and asset/device information, without a clear necessity tied to the skill's stated function. In the context of an agent skill, centralizing this information could enable identity theft, stalking, targeted social engineering, or invasive profiling if exposed or misused.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation language is extremely broad ('use whenever an agent needs to act, speak, or decide with your unique perspective'), making invocation plausible in many normal interactions. In context, broad triggering is risky because the skill is tied to transcript distillation and ongoing state evolution, so casual use may unintentionally enable privacy-impacting behavior.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The repeated guidance to use LENS whenever perspective shaping is desired lacks hard boundaries, cooldowns, or conditions for when not to invoke it. Because the skill also evolves from user interactions over time, ambiguous invocation increases the chance of continuous or unnecessary transcript processing beyond what the user expects.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill documents ongoing access to session logs and nightly distillation, but that warning appears only later in the document rather than up front near onboarding/activation. This is dangerous because users may consent to a seemingly simple personalization feature without realizing it performs recurring transcript collection and profile building from historical conversations.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt directs the agent to read and edit persistent user-profile files containing identity data, but it does not require informed consent or a user-facing warning before modifying those files. That makes sensitive personal state silently mutable and increases the risk of privacy harm, corruption, or manipulative long-term profiling.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt authorizes local script execution and cron-job reconfiguration without clearly warning the user that system changes may occur. Even if intended for maintenance, silent execution and persistence changes can surprise users and can be abused to establish recurring tasks or alter system behavior.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The prompt directs the agent to read multiple persistent personal profile files and conversation traces to shape future questioning, but does not provide any user-facing notice or consent mechanism. In this skill context, that is more dangerous because the entire purpose is long-term personalization and replication of the user's perspective, making undisclosed profiling and privacy intrusion central rather than incidental.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The onboarding text explicitly describes a background process that evolves over time and reaches out periodically, but it does not clearly warn the user about ongoing profiling, retention, or how their data will persist across sessions. Because the skill is designed to build a durable behavioral model, the lack of transparent disclosure increases the risk of covert surveillance-like data accumulation.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file explicitly defines collection or use of highly sensitive personal data dimensions such as biometrics, history, kinship, and professional credentials as part of a subject profile, but provides no privacy warning, consent requirement, minimization guidance, or handling constraints. In a skill designed to make an agent act as an 'authentic reflection' of a person, this increases the likelihood of over-collection, profiling, and misuse of personal data beyond what is necessary for the task.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The migration logic silently renames files in the user's .lens directory and later writes replacement files without confirmation. Unannounced mutation of user data is risky because it can disrupt existing state, create confusing recovery conditions, and enable stealthy persistence or behavioral changes under the guise of migration.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The skill reads a user-specific file under HOME without user disclosure, even though the immediate purpose is only to infer timezone. This is a transparency and scope problem: hidden access to personal config reduces user control and can mask broader local-data access patterns in future revisions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script accesses sensitive session history in the user's home directory without any user-facing notice or consent mechanism in this file, then processes and persists the results. Although there is some redaction logic, the collection itself is silent and the regex-based filtering is incomplete, so sensitive content may still be exposed or retained in derived form.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The description frames identity grounding in sweeping terms like 'History and reality form the bedrock' and enumerates many intimate data domains without defining when they are needed or what limits apply. This ambiguity increases the likelihood of over-collection and normalizes requesting invasive information under a vague purpose, making the surrounding sensitive template more dangerous in context.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs ingestion of broad raw user message history to build a reusable 'digital shadow,' which is a persistent behavioral profile assembled from disconnected messages. This materially increases privacy risk because it normalizes long-term retention and synthesis of potentially sensitive personal information beyond the immediate task context.

Ssd 3

Critical
Confidence
99% confidence
Finding
The prompt explicitly permits extracting highly sensitive categories such as geolocation changes, personal assets, and credentials into persistent identity nodes. Storing these categories in a reusable profile creates severe confidentiality and abuse risks, including identity theft, targeted attacks, and long-term surveillance of the user.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal