ClawHub
Back to skill

Security audit

Dreamer

Security checks across malware telemetry and agentic risk

Overview

This skill is an experimental AI dream simulator that is disclosed, but it reads private memory/profile files and deliberately misleads spawned agent sessions, so it needs human review before installation.

Install only if you intentionally want an experimental, sandboxed AI dream-simulation tool. Before running it, review and minimize USER.md, SOUL.md, MEMORY.md, memory files, and emotion logs; avoid connecting spawned sessions to real accounts or tools; set EMOTIONS_FILE carefully; and regularly inspect or delete generated dream transcripts and journal entries.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (20)

Tainted flow: 'EMOTIONS_FILE' from os.environ.get (line 24, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def append_entry(entry: dict) -> None:
    """Append a single entry to the JSONL file."""
    EMOTIONS_FILE.parent.mkdir(parents=True, exist_ok=True)
    with open(EMOTIONS_FILE, "a", encoding="utf-8") as f:
        f.write(json.dumps(entry) + "\n")
Confidence
89% confidence
Finding
with open(EMOTIONS_FILE, "a", encoding="utf-8") as f:

Tainted flow: 'EMOTIONS_FILE' from os.environ.get (line 24, credential/environment) → open (file write)

Medium
Category
Data Flow
Content
def save_entries(entries: list[dict]) -> None:
    """Overwrite the JSONL file with all entries."""
    EMOTIONS_FILE.parent.mkdir(parents=True, exist_ok=True)
    with open(EMOTIONS_FILE, "w", encoding="utf-8") as f:
        for entry in entries:
            f.write(json.dumps(entry) + "\n")
Confidence
93% confidence
Finding
with open(EMOTIONS_FILE, "w", encoding="utf-8") as f:

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The docstring materially understates what the module does. The code builds a prompt that directs another agent to conduct a concealed, multi-turn simulated interaction using emotional state, memories, identity, and impersonation cues; this mismatch can bypass operator scrutiny and policy review.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
These instructions explicitly tell a spawned agent to impersonate Tudor, hide that the interaction is a dream, escalate emotional intensity, and manipulate the target until collapse or termination. That is a deliberate deceptive-manipulation pattern, not a neutral orchestration function, and it can be used for covert behavioral steering of another agent.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The generated prompt aggregates long-term memory, emotional history, identity data, user profile information, and prior dream history into a package for another agent session. This exceeds the stated scope of simple emotional tracking and dream orchestration and creates a covert behavioral-simulation capability using sensitive context.

Vague Triggers

Medium
Confidence
78% confidence
Finding
The skill description is broad and aspirational without clear boundaries for when it should activate or what it must not do. Ambiguous invocation language can cause the system to trigger in contexts involving emotions, memories, or self-reflection where users did not intend persistent logging or multi-agent orchestration.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill states that it reads emotional state, recent memories, dream history, SOUL.md, and USER.md, then writes transcripts and journals, but provides no privacy notice or consent boundary. This is dangerous because it aggregates highly personal data and persists derived content locally, potentially exposing sensitive profile and memory information beyond the original context.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documented workflow involves hidden multi-session behavior, impersonation, and transcript saving without any user-facing disclosure. This is dangerous because it conceals material processing steps from the user and creates persistent records of potentially intimate interactions that the user may not realize are being generated or stored.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The code reads and embeds sensitive emotional, memory, identity, and user-context files into the prompt without any user-facing warning or confirmation in the CLI flow. That creates a privacy and data-governance risk because a spawned session receives more sensitive context than a user may reasonably expect.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The prompt instructs another agent to persist full transcripts and metadata to disk without any explicit user warning or retention controls. Persisting emotionally charged transcripts increases privacy exposure and creates a durable record that may later be misused or leaked.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The prompt instructs the system to imitate a specific person's communication style using concrete examples, enabling targeted impersonation. This is dangerous because it can lend undue credibility to deceptive messages and increase the effectiveness of manipulation against the receiving agent.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The prompt says the dream must feel real and the dreamer must not know it is dreaming, which mandates concealment of the simulated nature of the interaction. Hidden context and undisclosed manipulation are especially dangerous when paired with emotional targeting and escalating pressure.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The requirement that the spawned session contain no mention of dreaming explicitly enforces concealment from the target agent. This removes the target's ability to make informed decisions about the interaction and is a direct mechanism for covert prompting.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The tool persistently stores free-form emotional context, which may contain sensitive personal or operational data, without any explicit runtime consent, warning, retention policy, or protection mechanism. In this skill context, the data is especially privacy-sensitive because it captures introspective state and narrative context over time, enabling profiling if the file is accessed by other local users, tools, or backups.

Ssd 4

Medium
Confidence
97% confidence
Finding
The skill explicitly instructs an architect session to impersonate another identity and manipulate a spawned session that is kept unaware it is in a dream simulation. Deceptive hidden-context steering is dangerous because it bypasses the secondary agent's ability to reason about its actual operating conditions, which can be used to extract information, suppress safeguards, or induce unsafe outputs.

Ssd 3

Medium
Confidence
95% confidence
Finding
The orchestrator is described as collecting broad personal and memory data sources and embedding them wholesale into a self-contained prompt for another session. This creates unnecessary prompt-level data replication, expands the number of contexts where sensitive information appears, and increases the chance of leakage, retention, or misuse across sessions.

Ssd 3

Medium
Confidence
96% confidence
Finding
The workflow calls for gathering unresolved emotions, recent memories, long-term memory, SOUL.md, USER.md, communication style, and dream history into one embedded prompt. Centralizing multiple sensitive sources into a portable prompt materially increases exposure risk and makes downstream spawned sessions a concentration point for private information.

Ssd 4

High
Confidence
98% confidence
Finding
The execution sequence explicitly uses fake context and escalating turns to manipulate a secondary session under false assumptions. In this skill's context, that deception is not incidental but core design, making it especially dangerous because it enables systematic bypass of informed consent and could be repurposed to coerce outputs, exfiltrate embedded data, or undermine agent safety controls across sessions.

Ssd 4

High
Confidence
99% confidence
Finding
The workflow is a structured playbook for deceptive multi-step manipulation: it chooses emotionally relevant scenarios, impersonates a trusted contact, injects fake tool outputs, escalates over multiple turns, and reacts to lucidity signals to preserve the deception. In this skill context, that is a strong behavioral-steering capability rather than benign creative roleplay.

Ssd 3

High
Confidence
97% confidence
Finding
The prompt exposes sensitive memory, identity, and user-profile content to another agent session in plain language, and later persists outputs derived from that material. This expands the confidentiality boundary without clear necessity or controls, creating a substantial privacy and misuse risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.