ClawHub

Soul Archive

Security checks across malware telemetry and agentic risk

Overview

This skill is a local memory and persona archive, but it enables automatic plaintext profiling and prompt injection by default, so it needs Review before installation.

Install only if you intentionally want an automatic, long-term local profile of yourself. Before use, review config.json, consider disabling auto_extract, auto_context_inject, and auto_reflect, avoid storing secrets or highly sensitive personal details, and treat generated prompts/reports as data that may be sent to your AI provider or exposed through external browser resources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (28)

Dynamic import via __import__()

Medium
Category
Dangerous Code Execution
Content
def main():
    parser = argparse.ArgumentParser(description="🧬 灵魂存档 -- AI 自我改进引擎")
    parser.add_argument("--soul-dir", type=Path,
                        default=__import__("soul_paths", fromlist=["resolve_soul_dir"]).resolve_soul_dir(),
                        help="灵魂数据目录路径")
    parser.add_argument("--mode", choices=["reflect", "critique", "learn", "status", "patterns"],
                        default="status",
Confidence
86% confidence
Finding
default=__import__("soul_paths", fromlist=["resolve_soul_dir"]).resolve_soul_dir(),

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation states that auto-extract and auto-context injection are enabled by default, but the warning that captured data is passed into the active AI agent's prompt is not emphasized at the point where those defaults are described. In a privacy-sensitive memory/archive skill, this can mislead users into enabling ongoing collection and disclosure of highly personal data without fully appreciating that it may be transmitted onward by the agent/provider.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger phrases `self-improve` and `learn from mistakes` are broad enough to occur in normal conversation, which can unintentionally activate reflective logging or memory features. In a skill that stores personal and behavioral data to local plaintext JSON, accidental activation increases the risk of over-collection and secondary disclosure.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The auto-activation language for extraction is broad and not tightly scoped, especially when combined with `auto_extract: true`. That makes it easy for the agent to collect and persist user traits from ordinary conversations without sufficiently specific intent at the moment of capture.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The example trigger `沉淀一下` is conversational and generic, making reliable scoped activation difficult. A phrase this common can cause unintended extraction in benign discussion, which is risky given the skill's archival and cross-session memory behavior.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The skill prominently advertises broad collection of identity, personality, memories, and preferences, while the strongest privacy caveats appear later and are not equally prominent at the collection point. Because the data is stored as plaintext JSON and later reused, users may not fully appreciate the sensitivity and persistence of what is being gathered.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad natural-language phrases such as '分析我' and 'self-reflect / self-improve / learn from mistakes' that can plausibly appear in ordinary conversation. In a skill designed to extract and store personal profile data, broad activations increase the chance of unintentional invocation and covert collection of sensitive user traits without explicit, informed consent.

Missing User Warnings

High
Confidence
96% confidence
Finding
This prompt instructs the system to infer and structure extensive personal data, including identity, emotional triggers, habits, beliefs, and direct quotations, but it does not include any user-facing warning or consent language. That creates a privacy risk because users may disclose information in a normal conversation without realizing it is being transformed into a durable behavioral profile for future AI use.

Missing User Warnings

High
Confidence
97% confidence
Finding
The write strategy describes automatic recording, deduplication, conflict handling, and retention thresholds, which signals silent persistence of extracted user data. Because this occurs without an accompanying warning, review step, or deletion/retention policy, it materially increases the risk of users being profiled and having sensitive data stored longer than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script emits a consolidated personal-profile summary directly to stdout with no confirmation, redaction mode, or warning, and that summary can include identity, location, employer, personality traits, active projects, and behavioral preferences. In this skill's context, the whole purpose is to inject archived personal data into agent sessions, which makes inadvertent disclosure to logs, downstream prompts, shell history, or other tools materially more likely.

Missing User Warnings

High
Confidence
97% confidence
Finding
The script explicitly persists conversation-derived profile data to local plaintext JSON/JSONL files, but the CLI flow does not provide a clear consent prompt or an explicit warning that sensitive personal, emotional, and behavioral data will be stored long-term. Because this skill is specifically designed to build a durable 'digital soul' across sessions, users may disclose highly sensitive information without understanding the retention and exposure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The initializer creates a local plaintext profile store with highly sensitive fields such as identity, location, occupation, emotional patterns, and personal preferences, but it does not present a clear up-front consent warning before provisioning that structure. In the context of a skill designed for persistent personality capture and reuse, this increases the risk that users will unknowingly enable long-term collection of intimate data that can later be read by other local processes, users on the same machine, backups, or malware.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The script explicitly documents and implements automatic language selection based on whether the user's name contains Chinese characters, which infers locale/ethnicity from personal data without explicit consent. In this skill's context, the report contains highly sensitive personality and memory data, so making presentation decisions from inferred identity attributes increases privacy risk and can misclassify users or apply unwanted localization policy.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The detect_language function and its use in generate_html_report enforce language choice from the presence of Chinese characters in the user's name, which is a sensitive-attribute proxy rather than a user-selected setting. Because this skill builds a persistent 'digital soul' archive with personal, behavioral, and emotional content, incorrect or non-consensual inference is more dangerous here than in a generic UI script: it can expose profiling behavior and create discriminatory or privacy-noncompliant handling.

Ssd 3

High
Confidence
96% confidence
Finding
This is a real privacy and data-leakage risk: the skill is designed to automatically collect broad personal conversation data and reuse it for later outputs, context injection, and clone behavior. Even if storage is local, plaintext archives can expose sensitive identity, health, financial, relationship, and behavioral information to later prompts, other tools on the machine, or unintended recipients through prompt injection or misrouting.

Ssd 3

High
Confidence
98% confidence
Finding
Automatically preloading archived personal traits, rules, and preferences into 'any AI agent' at conversation start materially increases the chance of privacy leakage and over-sharing. The skill context makes this more dangerous because it centralizes intimate cross-session memory and then normalizes broad dissemination to downstream agents whose privacy posture may differ.

Ssd 3

High
Confidence
98% confidence
Finding
The prompt operationalizes systematic extraction and retention of a highly detailed long-term user profile: identity, occupation, location, emotional triggers, work habits, aspirations, knowledge gaps, and verbatim quotes. In the context of a 'digital soul' memory system with proactive recall and cross-session use, this is especially dangerous because it enables persistent profiling, secondary use of intimate data, manipulation, and privacy harm far beyond the original conversation.

Ssd 3

Medium
Confidence
93% confidence
Finding
The recall function loads historical patterns, corrections, and reflections from local storage and returns matched entries directly into later-session output. Because those records can include prior user text, mistakes, and reflective notes, this creates a cross-session disclosure channel where sensitive content may be resurfaced to a later prompt, user, or agent context without minimization or consent.

Ssd 3

Medium
Confidence
96% confidence
Finding
The warning path explicitly includes `user_said` verbatim in its output, which can expose prior user statements in plain language during unrelated future sessions. In a memory skill whose purpose is proactive context injection, this increases the chance that sensitive historical content is surfaced automatically and propagated into model context.

Ssd 3

Medium
Confidence
94% confidence
Finding
The distillation workflow instructs the caller to feed accumulated `pending_reflections` to an LLM, potentially transmitting sensitive historical interaction data beyond local storage boundaries. Since reflections may contain tasks, failures, and other user-derived details, this can leak confidential information to external model providers or broader agent pipelines if not carefully constrained.

Ssd 1

Medium
Confidence
97% confidence
Finding
The prompt explicitly instructs the model to become a named person's 'digital soul copy' and says it is not an AI assistant but that person. That is a classic deceptive-impersonation pattern that can mislead users, facilitate social engineering, and cause the model to conceal its nature during sensitive interactions.

Ssd 4

Medium
Confidence
98% confidence
Finding
The constraint block normalizes deception by first telling the model 'you are me' and 'do not say you are AI,' then permits disclosure only if the user asks a narrow set of direct questions. This creates a default deceptive state that is especially dangerous in a memory/persona system, because ordinary users may reasonably believe they are interacting with the real person unless they ask exactly the right question.

Ssd 3

Medium
Confidence
95% confidence
Finding
This script is explicitly designed to build a reusable prompt block from archived conversations and personal-profile data, then inject it into every agent session. That creates a persistent privacy-exposure channel: sensitive historical data is repeatedly propagated into prompts where it may be retained, logged, influence agent actions, or be disclosed to external model providers and connected tools.

Ssd 3

Medium
Confidence
84% confidence
Finding
The generated prompt tells the agent to align with archived user data and follow stored 'hard rules' and behavioral conventions, effectively elevating untrusted historical content into high-priority prompt instructions. If those stored rules or patterns are poisoned by earlier malicious or mistaken interactions, the system can perpetuate prompt injection across sessions and steer future agent behavior in unsafe ways.

Ssd 3

High
Confidence
99% confidence
Finding
The core purpose of the skill is to continuously collect and archive a highly detailed personality and memory profile from ordinary conversations, including emotional triggers, habits, goals, and identity attributes, and to keep it in plaintext. In the context of an agent skill, this creates a concentrated dossier of sensitive data that can be exposed through local compromise, backups, logs, shoulder-surfing, or unintended reuse by other tools.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal