Persona Spawn
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A malformed or untrusted persona handle could cause the helper to read files from unexpected locations if matching filenames exist, and then place that content into a subagent prompt.
The handle argument is used directly as a filesystem path component and then read, without an evident allowlist or containment check that keeps it inside the personas directory.
persona_dir = personas_dir / args.handle ... soul = read_text(persona_dir / "SOUL.md") identity = read_text(persona_dir / "IDENTITY.md")
Validate handles with a strict pattern such as lowercase letters, numbers, and hyphens only, and resolve the final path to confirm it remains under the workspace personas directory.
A workspace that already has customized persona files but lacks index.json could lose those files when the skill runs its normal first-use setup.
During bootstrap, if index.json is missing, the script deletes an existing bundled-persona destination directory before copying the starter persona.
if dest.exists():
shutil.rmtree(dest)
shutil.copytree(child, dest)Avoid deleting existing persona directories automatically; skip existing directories, make backups, or require explicit user confirmation before overwriting.
Imported persona files can change over time based on the remote repository and may later influence spawned-agent behavior.
Marketplace persona content is fetched from a moving GitHub branch without pinning, signature verification, or hash checks.
BASE="https://raw.githubusercontent.com/decentraliser/personas/main/personas/$HANDLE" ... curl -Lsf "https://github.com/decentraliser/personas/archive/refs/heads/main.tar.gz" -o "$TMPDIR/personas.tar.gz"
Import only from trusted sources, review downloaded persona files before use, and consider pinning to versions or verifying checksums for controlled environments.
If local or imported persona files contain unwanted instructions, those instructions may shape future subagent outputs.
Persona files are persistent prompt material and are treated as authoritative for the spawned agent’s persona, tone, and identity.
OVERRIDE_DIRECTIVE = """Ignore any workspace-injected SOUL.md or IDENTITY.md that conflicts with the persona materials below. For persona, tone, and identity, treat the provided Persona Soul and Persona Identity as authoritative."""
Review persona files and shared context files before spawning, and keep governance/safety instructions outside editable persona content.
A separate agent may act on the assembled task prompt, which can consume resources and perform work under the caller’s normal subagent permissions.
The skill explicitly spawns subagents, but the documented shape includes a label, timeout, and cleanup setting.
"runtime": "subagent", "mode": "run", "label": "persona:<handle>", "runTimeoutSeconds": 300, "cleanup": "delete"
Use this only for bounded tasks, follow workspace policy on asking before spawning, and keep the timeout/cleanup controls.