ClawHub

Behavior Persona

Security checks across malware telemetry and agentic risk

Overview

This skill clearly says it profiles your local chats, but it stores sensitive conversation-derived data and can persistently change future agent behavior through SOUL.md.

Install only if you intentionally want local OpenClaw conversation history profiled and reused to influence future agent responses. Run the scripts manually first, inspect the generated data files and SOUL.md block, keep WRITE_MEMORY disabled unless you explicitly want memory writes, and avoid enabling the daily cron job until you are comfortable with the stored data and prompt changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (18)

Tainted flow: 'SOUL_FILE' from os.environ.get (line 16, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
# 添加到文件末尾
        content += f"\n\n{marker_start}\n{prompt}\n{marker_end}\n"
    
    with open(SOUL_FILE, 'w') as f:
        f.write(content)
    
    return True
Confidence
90% confidence
Finding
with open(SOUL_FILE, 'w') as f:

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The `adapt_response()` logic prepends/returns text implying a point was recorded to `MEMORY.md` for the `repetitive_reminder` scenario, but it never calls `save_to_memory()` and memory writes are disabled by default. This creates a deceptive state mismatch: users may believe data was persisted or handled when it was not, undermining trust and potentially causing unsafe reliance on nonexistent memory retention.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The file claims it extracts user behavior data, but the implementation also captures assistant messages and persists them. This mismatch can mislead users and reviewers about the scope of collection, undermining informed consent and causing broader-than-expected retention of private conversation content.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The collector reads private session and memory files and aggregates their contents without any user-facing disclosure, consent flow, or privacy guardrails. In a skill context, silently harvesting historical conversations and behavioral signals is dangerous because users may not expect secondary processing of local session archives.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes collected messages and derived events into a new JSON file, creating durable persistence of sensitive conversation data without an explicit warning. This increases exposure by creating a secondary datastore that may be less protected, longer-lived, or easier for other skills and users on the system to access.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The script persists profile-derived personal data into SOUL.md without any consent check, notice, minimization, or retention control. In a prompt-management context, this can expose user traits and behavioral triggers to other components, logs, backups, or operators that read the file, turning profile data into broadly accessible prompt material.

Ssd 3

Medium
Confidence
89% confidence
Finding
The scenario definitions explicitly encourage persisting user-derived information into `MEMORY.md` in plain language, which creates a privacy and retention risk if enabled. Because the target path is a shared-looking workspace file under the user's home directory, recorded behavioral inferences or personal preferences could be stored without granular consent, minimization, or access controls.

Ssd 3

Medium
Confidence
94% confidence
Finding
The generated advisor prompt says that if something has already been reminded, the agent should directly act without repeating it. In the context of a persona engine that contemplates writing to shared memory, this normalizes silent retention and action on user information without fresh visibility, increasing the chance of covert persistence or behavioral profiling.

Ssd 3

High
Confidence
98% confidence
Finding
This script is explicitly designed to build a behavioral profile of a named individual by analyzing messages, channels, active hours, and interests, then storing the results. In a skill context, that creates a clear privacy and surveillance risk because sensitive personal inferences are collected and rendered into durable, human-readable reports without any visible consent, minimization, or access controls.

Ssd 3

High
Confidence
97% confidence
Finding
These routines derive personal traits from a specific user's message content, including message length, questioning behavior, and channel preference. Such inferred behavioral attributes are sensitive metadata; when tied to an identified person, they can be misused for monitoring, manipulation, or employment-style evaluation far beyond the original communication purpose.

Ssd 3

High
Confidence
99% confidence
Finding
The code mines message contents for topics, abandonment cues, and frustration signals, and in one path preserves contextual snippets and timestamps. This increases sensitivity substantially because it transforms private communications into psychological and topical profiles that can reveal emotions, priorities, and habits, creating a meaningful privacy harm if leaked or repurposed.

Ssd 3

High
Confidence
99% confidence
Finding
The pipeline persists the behavioral profile to JSON and Markdown reports, making sensitive inferences easy to read, copy, and disclose. Persisting these reports without any visible encryption, access restrictions, or lifecycle controls materially raises the risk of unauthorized exposure and secondary misuse.

Ssd 3

High
Confidence
98% confidence
Finding
The skill is explicitly designed to bulk collect behavior data from session and memory stores, which are likely to contain sensitive user content and metadata. In this skill context, that makes the behavior more dangerous because it is not incidental logging but intentional profiling and retention of historical conversation activity.

Ssd 3

High
Confidence
99% confidence
Finding
The extraction logic stores raw snippets from both user and assistant messages, including content from private sessions, into a new structured dataset. Persisting near-raw conversational text materially increases privacy and confidentiality risk because secrets, personal data, or sensitive work context may be copied into a secondary file outside the original storage controls.

Ssd 3

High
Confidence
99% confidence
Finding
Writing collected session-derived data to a separate skill-owned file creates a secondary repository of sensitive content, expanding the attack surface and retention footprint. If the file is accessed by other local processes, other skills, backups, or a compromised account, private conversation history and inferred behavior can be exposed.

Ssd 3

Medium
Confidence
92% confidence
Finding
User profile attributes are converted directly into system-prompt guidance and embedded in SOUL.md, creating a natural-language side channel for sensitive personal information. Because system prompts are often widely consumed by downstream agents and tools, this increases the blast radius of personal data exposure and can also let profile content influence higher-trust instructions.

Ssd 3

Medium
Confidence
90% confidence
Finding
The script writes personalized advisory content to a reusable prompt file, preserving user-specific traits beyond the immediate run. This broadens exposure through file reuse, backups, accidental commits, or access by other skills/processes, making leakage more likely in the skill context where prompt files may be broadly referenced.

Session Persistence

Medium
Category
Rogue Agent
Content
1. **Reads** your OpenClaw session files and memory files
2. **Stores** collected data in `data/collected_data.json` (messages truncated to ~200 chars)
3. **Modifies** your `SOUL.md` daily by injecting a user profile block at 18:00
4. **Does NOT** write to MEMORY.md by default (requires `WRITE_MEMORY=True` in code)

**Privacy implications:**
- Raw conversation content is stored (truncated)
Confidence
97% confidence
Finding
write to MEMORY.md by default (requires `WRITE_MEMORY=True` in code) **Privacy implications:** - Raw conversation content is stored (truncated) - Only stores messages from the last 30 days by default

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal