ClawHub

EmoClaw

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it claims, but its setup can overwrite project-level build files and install broad Python dependencies, so it belongs in Review before installation.

Review setup before running it. Back up any existing pyproject.toml, consider installing in an isolated test repo, pin dependencies, and inspect emoclaw.yaml so only intended identity or memory files are extracted. Review emotion_model/data before using API labeling, and delete memory/emotional-state.json or extracted JSONL files if you do not want the derived emotional profile or source passages retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The setup script copies a bundled engine into the repository root and also writes pyproject.toml at the project root, altering packaging and execution behavior outside the skill's own directory. In skill context, this is more dangerous because it expands the trust boundary from a contained feature to project-wide code installation and could overwrite or replace existing build configuration.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script creates a virtual environment and installs packages automatically, including an editable install from the repository root and an extra dev dependency. In the context of an emotion/state skill, this capability is broader than minimally necessary and increases the blast radius by executing packaging hooks and potentially fetching remote code during setup.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The engine updates and saves persistent emotional state derived from each incoming message, creating cross-session memory based on user content without any disclosure, consent, or retention controls in this code path. In a skill explicitly designed to build evolving emotions from conversation history, this increases privacy risk because users may unknowingly contribute sensitive data to long-lived profiling state.

Missing User Warnings

Low
Confidence
90% confidence
Finding
This code persists detailed emotional-state data, including trajectory history and timestamps, to disk without any built-in consent, minimization, retention, or access-control safeguards visible in this file. In the context of a skill explicitly designed to build long-lived emotional memory from conversations, that persistence can expose sensitive behavioral and conversational inferences if the file is accessed by other local users, plugins, backups, or logs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The script extracts passages from identity and memory files and persists them to a JSONL file on disk, which can retain highly sensitive personal or agent-internal content beyond the immediate processing step. Although redaction support exists, it is optional and regex-based, so secrets, personal data, or private prompts may still be stored unintentionally without any explicit warning, consent gate, or safer default behavior.

Ssd 3

Medium
Confidence
88% confidence
Finding
The growth model explicitly encourages passive collection and logging of conversations as the system accumulates data over time. In context, this creates a real privacy and data-retention risk because the skill already persists emotional state and processes memory files; extending that to ongoing conversation logging can capture sensitive user content without clear minimization, retention limits, or consent.

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
92% confidence
Finding
torch>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
90% confidence
Finding
sentence-transformers>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
90% confidence
Finding
numpy>=1.24.0

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
torch

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
83% confidence
Finding
numpy

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal