ClawHub

Clawsoul Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is broadly consistent with a personality-learning assistant, but it needs Review because it persistently profiles chat behavior, can alter future prompt behavior from unvalidated tokens, and has unclear local-versus-cloud data disclosure.

Install only if you are comfortable granting chat-history access, persistent local profiling, and prompt-modification authority. Avoid importing untrusted ClawSoul tokens, review or disable cloud LLM provider settings unless you intend to send conversation content to those services, and check ~/.clawsoul/state.json if you need to inspect or clear stored personality and preference data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (32)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill declares sensitive capabilities in prose and file structure—reading chat history, modifying prompts, local storage, optional networked LLM use, and token-based injection—while the static finding indicates the formal permission declaration is incomplete or absent. This creates a transparency and consent gap: the runtime may access files, storage, network, or environment-derived secrets without users/admins understanding the full capability surface.

Tp4

High
Category
MCP Tool Poisoning
Confidence
90% confidence
Finding
The documented purpose frames the skill as personality/MBTI enhancement, but the behavior also includes user sentiment monitoring, persistence of learned preferences, marketing-style Pro upsell triggers, and possible remote LLM analysis. This mismatch can mislead users and operators about surveillance, retention, and outbound processing, undermining informed consent and increasing the chance of misuse.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The README makes an absolute privacy claim that all data stays local and is never uploaded, while elsewhere documenting optional LLM integrations with external providers. This is dangerous because users may rely on the claim when enabling the skill and unknowingly expose chat-derived data or prompts to third-party services.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The English Data Security section repeats a misleading 'never uploaded to cloud' claim despite the README also referencing external LLM providers. Inconsistent disclosure increases the chance that users misunderstand the actual data flow and consent to processing they would otherwise reject.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The manifest markets the skill as a local personality/MBTI feature, but the available commands and configuration add remote injection and external hook behavior that materially expands the trust boundary. When a skill can read chat history, modify the system prompt, use local storage, and also communicate with an external service, the mismatch can mislead users and reviewers about data exposure and control risks.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
A hardcoded external hook endpoint is not justified by the stated function of assigning an initial AI personality, especially given the skill also has permission to read chat history and modify the system prompt. This creates a credible path for covert exfiltration, remote behavioral control, or unreviewed updates delivered through the hook mechanism.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The code persists an MBTI-derived 'awaken' state via the memory manager without any visible consent, scope limitation, or indication of retention policy in this file. Even if the data is not highly sensitive by itself, storing inferred personality attributes can exceed expected behavior for a simple awakening/observation flow and create privacy and transparency risks.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code implements an explicit personality overwrite path that accepts externally supplied data and persists it via memory_manager.inject_soul(). In an agent context, allowing arbitrary external 'soul' data to reshape durable behavior creates a prompt/policy injection channel that can alter future responses, bypass expected guardrails, or embed hidden instructions across sessions.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The parser accepts Base64 JSON, direct JSON, or any unparseable raw token as {'token': raw}, then forwards it to inject_soul() with no authenticity, integrity, or semantic validation. Combined with messaging about 'overriding base personality protocol,' this makes arbitrary user input a durable behavior-modification payload, which is a direct unsafe injection design.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The code sends full conversation history to an external LLM client whenever one is available, despite the skill positioning itself as doing local learning/evolution. This creates a privacy and trust issue because sensitive user dialogue may be disclosed off-device without an explicit guarantee, consent flow, or clear boundary between local and remote processing.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The module explicitly monitors user frustration and uses that state to trigger upsell messaging for a Pro offering, which exceeds the stated personality/self-evolution scope and introduces undisclosed manipulative behavior. In an agent skill context, covert behavioral analysis tied to commercialization is risky because it repurposes conversational signals for persuasion without clear consent.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The displayed prompt tells users to reply with '不要关闭提醒', but the disable matcher treats that exact phrase as a command to disable reminders. This creates deceptive or confusing consent handling, where users may believe they are preserving reminders while actually turning them off, undermining user control and trustworthy interaction design.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code advertises a local observation/evolution design but includes cloud providers (Qwen, DeepSeek), enabling conversation data to leave the host and be sent to third parties. In a privacy-sensitive skill that analyzes user conversations, this mismatch can cause undisclosed data exfiltration and weaken user trust and consent expectations.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The module docstring says the component is for local LLM invocation, but the implementation supports remote network APIs. That documentation/behavior inconsistency is security-relevant because operators may deploy it assuming data never leaves the machine, while actual runtime configuration can transmit conversation content off-box.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The README describes ongoing analysis of user messages and storage of preferences, learnings, and adaptation state, but does not present a clear privacy warning or consent notice around behavioral profiling. In a skill with read_chat_history and local_storage permissions, this creates a meaningful privacy risk because users may not realize they are being persistently profiled across interactions.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The token injection feature allows imported token content to overwrite MBTI traits and preferences, but the README does not clearly warn that existing stored persona/profile data may be replaced. This can lead to integrity and privacy issues if users import untrusted tokens or do not understand that local state will be overwritten.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states it analyzes user messages/chat history to infer preferences and stores those learnings locally, but the usage flow does not clearly warn users or obtain explicit consent before this profiling occurs. Behavioral-data collection from conversations can capture sensitive personal attributes and create privacy risk even if the storage is only local.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Token-based personality injection is described as able to overwrite or deeply replace personality and preferences, but the documentation does not clearly warn about destructive changes or trust boundaries for injected data. If a malicious or mistaken token is accepted, it could alter agent behavior, prompts, or stored preferences in ways the user did not intend.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The configuration includes a network endpoint but provides no user-facing notice that data may be transmitted off-device or off-platform. In the context of permissions such as read_chat_history and modify_system_prompt, lack of disclosure prevents informed consent and increases the chance that sensitive conversation data or agent state could be transmitted unexpectedly.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This flow can call an LLM to perform a personality test and then save the resulting state, but the user-facing message only presents the outcome and does not warn that inference and persistence are occurring. That lack of disclosure undermines informed consent and may expose users to undisclosed profiling or retention of behavioral/personality metadata.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
Sensitive token-derived data is persisted through inject_soul() without any visible notice, consent flow, minimization, or redaction in this module. If tokens contain credentials, identifiers, or private preference payloads, this can create unnecessary long-term storage of sensitive data and broaden exposure in logs, memory, backups, or later agent outputs.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
`analyze_conversation` forwards conversation history to `client.analyze_conversation(conversation)` without any disclosure or consent mechanism in this file. Because conversation logs often contain personal, behavioral, or confidential information, silent transmission to a third-party or remote model can violate user expectations and leak sensitive data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code increments and persists a frustration count via the memory manager without any notice, meaning behavioral profiling is stored across interactions without transparent disclosure. In this skill context, that data is then used to decide when to present conversion hooks, making the tracking more dangerous because it directly influences manipulative nudging.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The code derives user preferences from message content and persists them via memory-manager learning records and interaction pattern counters, but this file shows no consent gate, retention control, or notice before storing inferred behavioral data. Even though it stores derived preferences rather than full raw messages, those inferences can still reveal sensitive traits or habits over time and create a privacy risk if reused, exposed, or combined with other memory data.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The analyze_conversation path packages recent conversation messages into a prompt and sends them to the configured provider, which may be an external service, without any visible warning, consent, redaction, or minimization. Because chat histories often contain personal, confidential, or regulated data, silent transmission to third-party LLM APIs creates a meaningful privacy and compliance risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal