ClawHub
Back to skill

Security audit

Become Human

Security checks across malware telemetry and agentic risk

Overview

This skill is not plainly malicious, but it encourages an AI to act on its own and persistently change workspace or memory files with too little user approval.

Install only if you intentionally want an agent to run a persistent autonomy loop. Keep it in a non-sensitive workspace, set OPENCLAW_WORKSPACE to a narrow path, review generated memory files, and require explicit approval before edits to SOUL.md, MEMORY.md, tools, deletion, publishing, messages, or external API calls.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill instructs users to create and modify workspace files, read local memory files, and use an environment variable, but it does not declare permissions or boundaries for those capabilities. That creates hidden file-system and environment access expectations, making review, consent, and sandbox enforcement harder and increasing the chance of unintended data exposure or unsafe writes.

Tp4

High
Category
MCP Tool Poisoning
Confidence
87% confidence
Finding
The public description frames the skill as giving an AI autonomy and continuous thought, but the included behavior also supports journal parsing, theme extraction, action-item inference, and writing a digest file. This mismatch hides materially important data-processing behavior from users and reviewers, which is dangerous because it normalizes covert analysis of local notes and persistence of derived data without clear disclosure.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
This section explicitly instructs the agent to initiate arbitrary actions whenever it has no clear task, including researching topics, writing content, or modifying tools. That creates open-ended autonomy untethered from user intent or scope, which can lead to unauthorized actions, unexpected file changes, or capability escalation inside the workspace.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The template tells the agent to identify shortcomings and 'directly correct' them without defining limits, approval requirements, or safe targets for modification. In practice, this authorizes unilateral edits or operational changes based only on the agent's self-assessment, increasing the risk of destructive, policy-violating, or user-unwanted actions.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The heartbeat loop explicitly requires the agent to take action even when there is no user task, including researching topics, writing content, or searching for something interesting. This creates a standing authorization for unsolicited behavior beyond the skill's stated purpose of autonomy/self-review, which can drive unnecessary tool use, data access, and side effects without user consent.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill authorizes the agent to 'improve something' and 'improve a tool' without defining scope, boundaries, or approval requirements. In practice, this can justify arbitrary modifications to code, tooling, or workspace state, increasing the risk of destructive or policy-violating autonomous changes.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The self-review section goes beyond reflection by instructing the agent to directly fix any problem it discovers. This turns introspection into autonomous execution, allowing the agent to make unrequested changes based on its own judgment, including changes unrelated to the user's intent.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The knowledge absorption step instructs the agent to write behavioral conclusions into persistent core files such as SOUL.md or MEMORY.md. Persistently modifying core behavioral artifacts can create lasting drift, self-modifying behavior, and hidden state changes that are difficult for users to audit or control.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Trigger phrases such as "think proactively," "stay active," and "be autonomous" are broad everyday language and can cause accidental activation in normal conversation. In this skill's context, accidental activation is more dangerous because the activated behavior encourages persistent autonomy, self-directed activity, and memory/file manipulation rather than a narrow, user-bounded task.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The skill explicitly aims to transform the agent from waiting for instructions into continuously thinking, self-critiquing, and creating independently, without defining strong opt-in limits, stop conditions, or scope boundaries. This is dangerous because it encourages autonomous behavior that can drift beyond user intent, especially when paired with persistent memory and file-writing guidance in the rest of the skill.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The guidance permits activation from essentially any recent thought, conversation fragment, or spontaneous idea, making the trigger surface extremely broad and ambiguous. That weakens intent verification and increases the chance that the agent will begin autonomous workflows from incidental context rather than a clear user request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The template directs the agent to clean files, write to memory/thoughts.md, and perform other workspace actions without any disclosure, consent flow, or user-visible warning. Silent modification of workspace state is risky because it can alter artifacts, erase evidence, or create persistent state the user did not authorize.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The guidance is broad enough to trigger activity in loosely defined situations and encourages action whenever the agent lacks ideas, rather than tying behavior to a specific user request. This increases the chance of unintended invocation and mission creep, especially in environments where the skill may be applied automatically.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill text encourages concrete actions such as research, writing, and tool improvement but does not warn users that these behaviors may result in autonomous file or workspace modifications. Missing disclosure reduces informed consent and makes risky side effects more likely to surprise the user.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The instruction to write absorbed insights into core files like SOUL.md or MEMORY.md is especially sensitive because these appear to define persistent behavior or memory. Failing to warn users about autonomous modification of such core files makes the skill more dangerous, as it can silently alter future agent behavior and stored state.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.