Persona Spawn
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill’s persona-subagent workflow is mostly disclosed, but review is warranted because its helper scripts can overwrite/delete local persona folders and do not tightly validate persona handles used as file paths.
Install only if you are comfortable with workspace-local persona files being used as subagent prompt material. Before use, review imported personas, keep shared context files limited to intended documents, and be cautious in workspaces that already have a personas directory but no index.json because the bootstrap script may overwrite starter persona folders.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or untrusted persona handle could cause the helper to read files from unexpected locations if matching filenames exist, and then place that content into a subagent prompt.
The handle argument is used directly as a filesystem path component and then read, without an evident allowlist or containment check that keeps it inside the personas directory.
persona_dir = personas_dir / args.handle ... soul = read_text(persona_dir / "SOUL.md") identity = read_text(persona_dir / "IDENTITY.md")
Validate handles with a strict pattern such as lowercase letters, numbers, and hyphens only, and resolve the final path to confirm it remains under the workspace personas directory.
A workspace that already has customized persona files but lacks index.json could lose those files when the skill runs its normal first-use setup.
During bootstrap, if index.json is missing, the script deletes an existing bundled-persona destination directory before copying the starter persona.
if dest.exists():
shutil.rmtree(dest)
shutil.copytree(child, dest)Avoid deleting existing persona directories automatically; skip existing directories, make backups, or require explicit user confirmation before overwriting.
Imported persona files can change over time based on the remote repository and may later influence spawned-agent behavior.
Marketplace persona content is fetched from a moving GitHub branch without pinning, signature verification, or hash checks.
BASE="https://raw.githubusercontent.com/decentraliser/personas/main/personas/$HANDLE" ... curl -Lsf "https://github.com/decentraliser/personas/archive/refs/heads/main.tar.gz" -o "$TMPDIR/personas.tar.gz"
Import only from trusted sources, review downloaded persona files before use, and consider pinning to versions or verifying checksums for controlled environments.
If local or imported persona files contain unwanted instructions, those instructions may shape future subagent outputs.
Persona files are persistent prompt material and are treated as authoritative for the spawned agent’s persona, tone, and identity.
OVERRIDE_DIRECTIVE = """Ignore any workspace-injected SOUL.md or IDENTITY.md that conflicts with the persona materials below. For persona, tone, and identity, treat the provided Persona Soul and Persona Identity as authoritative."""
Review persona files and shared context files before spawning, and keep governance/safety instructions outside editable persona content.
A separate agent may act on the assembled task prompt, which can consume resources and perform work under the caller’s normal subagent permissions.
The skill explicitly spawns subagents, but the documented shape includes a label, timeout, and cleanup setting.
"runtime": "subagent", "mode": "run", "label": "persona:<handle>", "runTimeoutSeconds": 300, "cleanup": "delete"
Use this only for bounded tasks, follow workspace policy on asking before spawning, and keep the timeout/cleanup controls.