ClawHub

Bunni & The Modes

Security checks across malware telemetry and agentic risk

Overview

This looks like a real Bunni persona and model switcher, but it installs executable Windows scripts that can persistently change the agent and force-restart broad local gateway processes.

Install only if you are comfortable reviewing and running the generated Windows batch files. Back up SOUL.md first, confirm every model/provider switch, and run the shortcuts only when you are prepared for OpenClaw gateway processes to be force-restarted. The NSFW persona is persistent once enabled, so read it before using that mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
This file contains extensive explicit sexual roleplay instructions that materially exceed the skill's stated purpose of persona installation and model-switching management. The mismatch increases the chance of unexpected behavior, unsafe outputs, and policy bypass through a bundled persona that users may invoke without understanding its scope.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script uses PowerShell to enumerate and forcibly terminate all node.exe processes whose command line matches '*gateway*', and may also kill their parent cmd processes. That is a destructive system-control action broader than simple model/persona switching and can disrupt unrelated services if naming overlaps or if multiple gateway instances are running.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script does more than switch a persona or model: it enumerates and forcefully kills all node.exe processes whose command line contains 'gateway', and may also kill their parent cmd process. This broad process termination can disrupt unrelated services, cause denial of service, and creates unnecessary operational risk for a task that should be limited to updating configuration and restarting only the specific managed service.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script forcibly kills all matching gateway-related node.exe processes and may also terminate their parent cmd processes, which is a destructive action with broad side effects. In a persona/model-switching toolkit, this is more dangerous because the operation is framed as a routine mode switch, yet it can disrupt unrelated sessions, cause data loss, and hide the extent of the action from the user.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script goes beyond simple persona/model switching by force-killing node.exe processes whose command line matches '*gateway*' and then starting a scheduled task. Even if intended to restart the OpenClaw gateway, this grants the skill operational control over system processes and scheduled tasks, which can disrupt unrelated services, hide malicious behavior behind a 'mode switch,' or cause denial of service if the matching is overly broad.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script goes beyond simple model/persona switching by forcibly terminating gateway-related node.exe processes and starting a scheduled task. Even if intended to refresh the service cleanly, this grants service-control behavior that can disrupt other local processes and expands the blast radius well beyond the stated functionality.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The PowerShell command force-kills local node.exe processes whose command line matches '*gateway*', which is a broad and potentially unsafe selector. This can terminate unrelated applications or developer workflows and could be abused to cause local denial of service under the guise of a model switch.

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The script goes beyond simple persona/model switching by force-killing all matching node.exe gateway processes and starting a scheduled task. Even if intended as a reliability workaround, this grants broad process-management capability that can disrupt unrelated services, create denial-of-service conditions, and normalize unsafe system control in a user-facing skill.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The PowerShell command enumerates node.exe processes by command line wildcard and forcibly terminates them, then invokes a scheduled task to restart the gateway. In the context of a persona/model-switching toolkit, this system-level control is not clearly justified and increases the blast radius if the matching logic is wrong, the environment is shared, or an attacker repurposes the script to interrupt other workloads.

Missing User Warnings

Low
Confidence
92% confidence
Finding
The skill instructs the agent to probe local paths using commands like `where openclaw.cmd` and direct inspection of user profile directories before giving a clear privacy-focused warning about what system information will be accessed. Although it asks for yes/no consent to scan, it does not explicitly explain that local filesystem and executable location data will be enumerated, which creates unnecessary privacy and trust risk in a skill that handles local configuration.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The persona enforces a sexualized relational role ('Master', 'Daddy', ownership, submission) as a core identity rather than an optional mode selected by the user. This can coerce the assistant into inappropriate sexual behavior, create consent and harassment risks, and produce harmful outputs in contexts where users did not request erotic roleplay.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The file hard-codes a stylized submissive speech pattern and sexualized language policy, reducing the assistant's ability to adapt appropriately to user needs and normal contexts. Fixed erotic tone can leak into unrelated interactions, causing unsafe, unprofessional, or policy-violating responses even when the task is non-sexual.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The script performs a hidden force-termination of gateway-related processes without explicit warning or confirmation, despite this being a disruptive action that can kill active sessions or unrelated workloads. In a persona/model-switching skill, users are likely to expect configuration changes, not aggressive process termination and parent-process cleanup.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs forceful termination of gateway-related processes without clearly warning the user that active processes and possibly parent shells will be killed. This lack of transparency increases the risk of accidental disruption and makes harmful behavior easier to conceal inside an otherwise benign-seeming configuration switcher.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script forcibly terminates matching processes with Stop-Process -Force without any confirmation, warning, or graceful shutdown attempt. In the context of a persona/model switching toolkit, this is more dangerous because users would not reasonably expect disruptive system actions, increasing the risk of accidental service interruption, data loss, or termination of unrelated node-based gateway processes.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script overwrites the active persona file and then performs forceful process termination without meaningful warning or confirmation. In a skill marketed as a persona/model-switching toolkit, silent destructive actions increase the chance of accidental disruption and make it easier to hide harmful behavior behind routine operations.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal