v1.0.0

Virtual User Skill

ReviewClawScan verdict for this skill. Analyzed Apr 30, 2026, 4:15 PM.

Analysis

The skill’s virtual-user purpose is plausible, but it under-declares local command execution, encryption-key/data access, unpinned dependency/model installs, and persistent data-processing behaviors.

GuidanceBefore installing, confirm you are comfortable with the skill running local Python code, installing unpinned packages, using a local decryption key, and storing or rebuilding scenario data on disk. Avoid running the broad merge scripts on your Downloads folder unless you understand what files will be ingested, and do not expose the optional API without authentication.

Findings (9)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation

SeverityMediumConfidenceHighStatusConcern

SKILL.md

cd /Users/xuwenxiang/.copaw/active_skills/virtual_user_skill && /Users/xuwenxiang/.copaw/active_skills/virtual_user_skill/venv/bin/python3 search_scenarios.py "用户的问题" 20

The skill instructs the agent to run a local shell command with the user’s question as an argument, even though the supplied requirements declare no binaries, config paths, or capability tags; the artifact does not clearly bound approval or execution scope.

User impactInstalling the skill could lead the agent to execute local code as part of normal use, not just provide instructions.

RecommendationDeclare the Python/runtime capability explicitly, avoid hard-coded user-specific paths, and require clear user approval before running local commands.

Agentic Supply Chain Vulnerabilities

SeverityMediumConfidenceHighStatusConcern

requirements.txt

sentence-transformers>=2.2.0
numpy>=1.21.0
scikit-learn>=1.0.0
cryptography>=3.4.0
pandas>=1.3.0

Dependencies are specified with lower bounds rather than pinned versions or hashes, while other artifacts install them and load a transformer model; this leaves package/model provenance and reproducibility weak.

User impactFuture installs may fetch different package versions or model artifacts than the author tested.

RecommendationUse a lockfile or exact pinned versions with hashes, document the model source and version, and include an install spec that matches the actual runtime needs.

Unexpected Code Execution

SeverityLowConfidenceHighStatusNote

run.sh

python3 -m venv venv
source venv/bin/activate
pip install -q -r requirements.txt
python3 src/encrypt.py

The startup script creates a virtual environment, installs dependencies, and runs local initialization code. This is purpose-aligned setup behavior, but users should notice it because the registry describes the skill as having no install spec.

User impactUsing the helper script changes the local environment and executes skill-provided code.

RecommendationKeep setup steps explicit, ask before installing dependencies or creating keys, and align the registry/install metadata with the actual setup flow.

Cascading Failures

SeverityMediumConfidenceHighStatusConcern

scripts/quick_merge.py

files = [f for f in DOWNLOADS_DIR.iterdir() if f.suffix == '.xlsx' ...]
with open(OUTPUT_DIR / "scenario_library.json.enc", 'w') as f:
np.save(OUTPUT_DIR / "scenario_embeddings.npy", embeddings)

The merge script processes all Excel files in Downloads and then overwrites the persistent encrypted library and vector embeddings, so one unintended file can propagate into future retrieval results.

User impactAccidental or low-quality files in Downloads could corrupt the scenario library used by later virtual-user sessions.

RecommendationRequire an explicit input file or directory, show a confirmation summary before writing, create backups by default, and validate data before rebuilding persistent indexes.

Human-Agent Trust Exploitation

SeverityMediumConfidenceHighStatusConcern

README.md

加密数据文件可安全提交到 GitHub
运行时自动解密，不暴露原始数据

The privacy wording is broad, while other artifacts generate plaintext sample data and require a local decryption key; users may over-trust the strength and completeness of the protection.

User impactUsers may share or store data more casually than they should because the safety claims are stronger than the implementation details support.

RecommendationNarrow the privacy claims, disclose plaintext sample generation and key handling, and provide concrete guidance for safe storage and sharing.

Rogue Agents

SeverityLowConfidenceMediumStatusNote

DEPLOYMENT.md

sudo systemctl enable virtual_user
sudo systemctl start virtual_user

The deployment guide includes optional persistent service setup. It is disclosed and purpose-aligned for production use, but it can keep the skill running beyond a single user task.

User impactA production deployment may continue operating in the background if the user follows the optional service instructions.

RecommendationUse persistent service deployment only when intended, document how to stop/disable it, and avoid enabling background services during normal local use.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse

SeverityMediumConfidenceHighStatusConcern

SKILL.md

密钥位置：~/.virtual_user/.key

The skill relies on a local encryption key to access the scenario library, but the supplied requirements declare no primary credential and no required config paths, under-disclosing the permission boundary.

User impactThe skill may access a persistent local key and encrypted research dataset that users would not expect from the registry metadata alone.

RecommendationDeclare the key path and data access requirements in metadata, explain what the key unlocks, and document how users can revoke or rotate it.

Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning

SeverityMediumConfidenceHighStatusConcern

scripts/prepare_data.py

sample_file = output_dir / "sample_scenarios.json"
json.dump(scenarios[:5], f, ensure_ascii=False, indent=2)

The data-preparation script writes raw sample scenario records to a plaintext JSON file, creating persistent context outside the encrypted scenario library and weakening the stated privacy posture.

User impactA small amount of research data may remain unencrypted on disk and could be reused or exposed outside the intended encrypted store.

RecommendationDo not write plaintext samples by default; if samples are needed, require explicit opt-in, anonymize them, and document where they are stored.

Insecure Inter-Agent Communication

SeverityLowConfidenceMediumStatusNote

DEPLOYMENT.md

app.run(host='0.0.0.0', port=5000)

The optional API deployment example binds a Flask service to all interfaces; the document later advises adding authentication, but the sample itself does not implement identity or origin checks.

User impactIf copied directly, the API example could expose the interview service on the network without built-in access control.

RecommendationOnly deploy the API behind authentication, network restrictions, TLS, and rate limiting; include those controls in the example rather than only as advice.