ClawHub

Syléa

Security checks across malware telemetry and agentic risk

Overview

Syléa is a local life-coaching skill that openly stores personal coaching notes under ~/.sylea/ and shows no evidence of hidden networking, credential use, or destructive behavior.

Before installing, treat ~/.sylea/ as sensitive local personal-data storage. Avoid using it on shared or untrusted machines, periodically review or delete stored Markdown files, and do not provide cloud, email, calendar, payment, or crypto credentials unless you separately choose to use and trust an external service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Rogue AgentSelf-Modification, Session Persistence
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Low
Confidence
84% confidence
Finding
The changelog states that onboarding persists profile data to `~/.sylea/profile.md`, but there is no indication of explicit user notice, consent, or write confirmation. For a life-coach skill that may collect sensitive personal and well-being information, silent local persistence creates a privacy risk, especially on shared machines or in environments where users do not expect filesystem writes.

Session Persistence

Medium
Category
Rogue Agent
Content
- Asks for a **daily bilan** — keywords: *"how was my day"*, *"bilan journée"*, *"check-in"*
- Wants **progress tracking** on an existing objective

Respond in the user's language (French if they write French, English otherwise). Default to French when ambiguous.

## Setup — first use
Confidence
90% confidence
Finding
write French, English otherwise). Default to French when ambiguous. ## Setup — first use If `~/.sylea/` does not exist, create it: ```bash mkdir -p ~/.sylea/dilemmas ~/.sylea/checkins ~/.sylea/goal

Session Persistence

Medium
Category
Rogue Agent
Content
- If `well-being < 5` on the winner → add *"⚠️ attention au burn-out sur cette option"*

### Step 6. Save the analysis
Write to `~/.sylea/dilemmas/YYYY-MM-DD-<slug>.md` with the full table, the user's reasoning if shared, and the recommendation.

Never decide FOR the user. Surface the analysis; they pick.
Confidence
94% confidence
Finding
Write to `~/.sylea/dilemmas/YYYY-MM-DD-<slug>.md` with the full table, the user's reasoning if shared, and the recommendation. Never decide FOR the user. Surface the analysis; they pick. ## Protocol

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal