ClawHub

Persona Builder

Security checks across malware telemetry and agentic risk

Overview

This skill is not malicious, but it creates durable personal profile and agent-authority files that can shape future agent behavior and should be reviewed carefully before use.

Install only if you want a local persona/workspace generator and are prepared to review the generated files before using them. Do not enter secrets or unnecessary personal details, redact sensitive schedule/goals/risk information, avoid committing outputs to a public or shared repository, and remove or tighten any AGENTS.md or MEMORY.md instructions about autonomy, sub-agents, background loops, usage tracking, or pruning that you do not explicitly want future agents to follow.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (10)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document presents a contradictory policy: it says all questions are optional while elsewhere declaring certain blocks or fields required/minimum viable. In a guided interview that configures agent behavior, this inconsistency can mislead implementers into coercing users for data or silently applying defaults when users skip answers, producing configuration drift and consent issues.

Intent-Code Divergence

Low
Confidence
93% confidence
Finding
The document presents 'assumed' authors and placeholder paper titles as authoritative academic backing, which is deceptive provenance. In a security-sensitive agent skill, fabricated or unverified research claims can unduly increase user trust, reduce scrutiny, and justify risky design choices such as autonomous memory handling without real evidence.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README instructs users to provide identity, schedule, goals, and personality details, then generate and copy multiple workspace files, but it does not clearly warn that sensitive personal data may be collected, stored in plaintext, and committed to version control. In this context, the omission increases the risk of accidental disclosure of personal or operationally sensitive information through local files, shared workspaces, backups, or git remotes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrase at line 14 is broad enough to match common user requests about creating or configuring an agent persona, which can cause this skill to activate when the user did not explicitly intend to run it. Because the skill collects substantial personal preference data and generates multiple workspace control files, accidental invocation can alter agent behavior or create unintended configuration artifacts.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrase at line 16 is generic workspace-creation language that could collide with everyday requests unrelated to this specific skill. In context, this is more concerning because the skill performs a lengthy interview and produces foundational files like SOUL.md and AGENTS.md that can materially shape downstream agent behavior.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document explicitly instructs the skill to generate and write multiple workspace files and an items.json store, but it does not require an explicit user-facing notice or confirmation before modifying local data. In a persona-building skill that processes personal interview responses, silent writes can create unexpected persistence of sensitive user context and violate user expectations around consent and transparency.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The usage-tracking section directs the system to update accessCount, lastAccessed, and save items.json whenever a fact is used in conversation, creating ongoing background persistence without a user-facing warning or opt-in. This is risky because it turns ordinary interactions into continuous profiling and local state mutation, which can surprise users and accumulate behavioral metadata over time.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
Defaulting an unanswered communication-style preference to 'blunt and direct' imposes a high-friction behavioral mode without explicit user consent. In this skill's context, that default can shape future agent interactions, increase user harm or alienation, and normalize aggressive pushback in cases where the user deliberately withheld a preference.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The template explicitly authorizes the agent to autonomously prune cold facts and alter what appears in summaries, but it does not warn the user that information may be deprioritized, summarized away, or deleted based on agent-controlled heuristics. In a persona-building skill that defines long-lived identity and memory behavior, this can silently cause loss of important context, preference drift, or omission of safety-relevant facts without informed user consent.

Ssd 3

Medium
Confidence
99% confidence
Finding
This section defines persistent storage of personal and contextual interview data across categories like identity, schedule, goals, risks, and trust level, plus cross-conversation usage metadata. Even if intended for personalization, this is a real privacy/security issue because it creates a durable dossier of sensitive user attributes and behavior that could be exposed, reused beyond the user's expectations, or retained longer than necessary.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal