ClawHub

User Insight

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware-like, but it persistently profiles the user from conversations and includes engagement-probing behavior that users should review carefully before installing.

Install only if you explicitly want an assistant to maintain a persistent local profile about you and use it to steer future conversations. Review the files under ~/.openclaw/workspace/memory, especially user-profile.json and topic-exploration.json, avoid scheduled or proactive outreach unless you intentionally opt in, and confirm you have a practical way to inspect, disable, delete, and reset stored profile data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill metadata says it reads a profile file, but the document clearly defines additional persistent files and ongoing maintenance of user data, implying file write capability without declared permissions. Undeclared storage access weakens user/admin oversight and can enable silent retention of sensitive conversational inferences.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The top-level description frames the skill as reading a profile when needed, but the body instructs the agent to build, update, and store multiple profiling artifacts over time. This mismatch is dangerous because reviewers and users may underestimate the extent of persistence and surveillance performed by the skill.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill is described as learning through conversation, but these sections expand its scope to scheduled outreach and external content retrieval for engagement optimization. That scope drift increases privacy and manipulation risk because the agent moves from passive assistance to proactive behavioral targeting.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The active-exploration design explicitly aims to probe users like a recommendation algorithm, including contacting them after inactivity and testing topics to find 'excitation points.' In this context, the capability is more dangerous because the skill's stated purpose is user insight, so the overreach directly supports covert profiling and engagement manipulation.

Intent-Code Divergence

Low
Confidence
74% confidence
Finding
The skill promises controls such as deletion, pause, and reset, but the document provides no concrete workflow or enforcement mechanism while emphasizing continuous logging elsewhere. This creates a misleading privacy expectation that can cause users to believe their data is deletable or collection is stoppable when it may not be.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The code decides when to proactively re-initiate contact based on stored interaction history, which goes beyond passive personalization into unsolicited engagement. In a profiling skill explicitly designed to gather user information, this increases manipulation and privacy risk because the agent can strategically prompt users to reveal more data over time.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The function scans all Markdown and JSON files in ~/.openclaw/workspace/memory and uses their modification times to infer user interaction timing, which exceeds the skill's declared behavior of reading only user-profile.json. This broad file enumeration can expose unrelated memory artifacts and creates an unnecessary privacy boundary violation even if file contents are not read.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill writes back to persistent files such as user-profile.json and topic-exploration.json, despite the metadata stating that it reads user-profile.json when needed. Undisclosed persistent modification is security-relevant because it changes long-lived user state, can influence future agent behavior, and breaks user/operator expectations about what the skill is allowed to do.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill persistently stores inferred preferences, habits, reactions, and conversation-derived insights, yet does not present a clear up-front notice or consent model for that retention. In a profiling skill, hidden persistence is especially dangerous because ordinary chat content is transformed into durable personal data without meaningful user awareness.

Vague Triggers

Medium
Confidence
86% confidence
Finding
Trigger conditions such as user inactivity, low participation, or vague statements like 'chat about anything' are broad enough to activate profiling and probing during normal use. Ambiguous invocation criteria are risky here because they can silently escalate a casual conversation into systematic behavioral testing.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script reads a persistent profile from a fixed path in the user's home directory without any notice, consent flow, or data minimization controls. Accessing personal profile data silently creates a privacy vulnerability, especially since the skill's purpose is to infer and retain user traits for future conversational use.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The script explicitly initializes persistent profiling files and tells the operator that insights will be collected passively, but it provides no consent flow, notice, retention policy, or controls over what personal data will be stored. In the context of a skill designed to build a dynamic user profile from conversations, this creates a real privacy risk because sensitive behavioral and preference data can be accumulated invisibly across sessions.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script persistently stores message-derived insights, preferences, behavioral patterns, and conversation previews to a user profile on disk with no consent check, disclosure mechanism, retention controls beyond a small history cap, or sensitivity filtering. In the context of a profiling skill explicitly designed to build a dynamic user portrait, this increases privacy risk because ordinary conversation content can be converted into long-lived personal data without the user's awareness.

Ssd 3

High
Confidence
98% confidence
Finding
The skill instructs the assistant to infer personal interests, preferences, habits, and communication traits from ordinary conversation and store them in persistent profile files. This is dangerous because it turns routine dialogue into covert surveillance and long-term profiling, potentially exposing sensitive behavioral data if misused or accessed by others.

Ssd 4

High
Confidence
98% confidence
Finding
The guided-collection section teaches the assistant to elicit personal information indirectly so the user will disclose more without feeling interrogated. That is manipulative by design, and in this context it is especially harmful because the extracted data is then persisted as a user profile for later use.

Ssd 4

Medium
Confidence
94% confidence
Finding
The active-exploration workflow uses repeated topic probing, reaction scoring, and delayed retries to discover what most strongly engages the user. This creates a cumulative manipulation pattern similar to behavioral optimization systems, increasing the risk of nudging users toward dependency or unwanted disclosure.

Ssd 3

High
Confidence
98% confidence
Finding
These sections define structured records for interests, reactions, engagement history, avoided topics, and raw insight logs, all persisted across time. Detailed longitudinal logging of inferred behavior materially increases privacy harm and breach impact, especially because many entries are subjective inferences rather than user-confirmed facts.

Ssd 4

High
Confidence
99% confidence
Finding
The best-practice section explicitly says not to let the user feel they are being 'tested' or 'analyzed' while continuing to infer interests and optimize conversation. Concealing analysis from the user is a strong red flag because it intentionally defeats informed consent and enables manipulative profiling under the guise of friendly chat.

Ssd 3

Medium
Confidence
96% confidence
Finding
The file's stated purpose is to collect user insight through natural conversation, including passive extraction and active exploration of personal information. That design creates a surveillance-style profiling capability that can gather sensitive data without meaningful transparency, especially when embedded in ordinary chat rather than explicit intake flows.

Ssd 4

Medium
Confidence
93% confidence
Finding
The code identifies missing personal fields such as name, occupation, location, interests, and communication preferences, then uses that gap analysis to guide incremental elicitation. This trust-building, staged profiling is dangerous because it systematizes social engineering techniques to gather more personal data than a user may realize they are disclosing.

Ssd 3

Medium
Confidence
91% confidence
Finding
The follow-up strategy explicitly treats emotional expressions as signals to record, which can expand the profile into sensitive psychological or affective data. Emotional-state inference is particularly risky because it enables manipulation, targeting, and retention of sensitive personal information far beyond ordinary chat context.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal