Back to skill

Security audit

EmoClaw

Security checks across malware telemetry and agentic risk

Overview

EmoClaw is a disclosed local emotion-state skill that reads configured memory files and can optionally send extracted passages to Anthropic for labeling with consent.

Before installing, review the configured bootstrap source files, inspect extracted_passages.jsonl before any labeling, keep ANTHROPIC_API_KEY unset unless you intend to send passages to Anthropic, avoid running the daemon as root, and consider pinning dependencies or skipping the default pytest install in stricter environments.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (13)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
# --- Install dev dependencies ---
    print("  Installing dev dependencies (pytest)...")
    subprocess.run(
        [str(pip), "install", "pytest"],
        capture_output=True,
        text=True,
Confidence
77% confidence
Finding
subprocess.run( [str(pip), "install", "pytest"], capture_output=True, text=True, )

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill documents capabilities to read local files, write persistent state and training artifacts, create a virtual environment, invoke shell commands, and optionally send extracted passages to an external API, yet no explicit permission declaration is present. This increases the chance that an operator enables the skill without understanding its actual access level, especially because it touches identity/memory files and can exfiltrate their contents during the labeling step.

Tp4

High
Category
MCP Tool Poisoning
Confidence
89% confidence
Finding
The advertised purpose focuses on emotional state generation, but the documented behavior also includes repository-wide file extraction, package installation into the host project, daemon/socket exposure, and optional transmission of extracted content to Anthropic. That mismatch is security-relevant because users may grant trust based on a narrow mental model while the skill actually performs broader and riskier operations involving sensitive local data and prompt injection.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Installing pytest is unrelated to the core function of initializing an emotion-state skill and introduces unnecessary third-party code execution and dependency risk. Because this occurs during first-time setup, users may unknowingly allow network installs and package-side effects that are not required for operation.

Missing User Warnings

Medium
Confidence
78% confidence
Finding
This diagnostic script prints raw input messages alongside the model’s inferred emotional state, which can expose sensitive conversational content and behavioral profiling data in logs or terminal history. In the context of a memory- and identity-driven emotional modeling skill, those outputs are more privacy-sensitive than ordinary debug data because they may reveal relationship signals and personalized internal state derived from user interactions.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The architecture explicitly persists an emotion vector, GRU hidden state, timestamps, message counts, and trajectory across sessions, but provides no warning or privacy guidance about retaining sensitive conversational and inferred emotional history. In a skill designed to build a long-lived emotional fingerprint from user interactions, this omission increases the likelihood that deployers will store personal or behavioral data without appropriate minimization, consent, retention limits, or protection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script extracts passages from identity and memory files and persists them to `extracted_passages.jsonl` without an explicit user-facing warning, confirmation step, or restrictive file-permission handling. In this skill’s context, the source material is especially likely to contain intimate or identifying content, so silently writing a consolidated dataset to disk increases the chance of unintended disclosure through backups, logs, sharing, or later processing.

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
92% confidence
Finding
torch>=2.0.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
90% confidence
Finding
sentence-transformers>=2.2.0

Unpinned Dependencies

Low
Category
Supply Chain
Content
torch>=2.0.0
sentence-transformers>=2.2.0
numpy>=1.24.0
Confidence
88% confidence
Finding
numpy>=1.24.0

Known Vulnerable Dependency: torch — 10 advisory(ies): CVE-2025-2953 (PyTorch susceptible to local Denial of Service); CVE-2022-45907 (PyTorch vulnerable to arbitrary code execution); CVE-2025-32434 (PyTorch: `torch.load` with `weights_only=True` leads to remote code execution) +7 more

Critical
Category
Supply Chain
Confidence
95% confidence
Finding
torch

Known Vulnerable Dependency: numpy — 10 advisory(ies): CVE-2014-1859 (Numpy arbitrary file write via symlink attack); CVE-2021-41495 (NumPy NULL Pointer Dereference); CVE-2021-33430 (NumPy Buffer Overflow (Disputed)) +7 more

Critical
Category
Supply Chain
Confidence
74% confidence
Finding
numpy

Known Vulnerable Dependency: pyyaml — 8 advisory(ies): CVE-2019-20477 (Deserialization of Untrusted Data in PyYAML); CVE-2020-1747 (Improper Input Validation in PyYAML); CVE-2020-14343 (Improper Input Validation in PyYAML) +5 more

Critical
Category
Supply Chain
Confidence
93% confidence
Finding
pyyaml

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dynamic_code_execution

Dynamic code execution detected.

Critical
Code
suspicious.dynamic_code_execution
Location
engine/emotion_model/tests/test_model.py:74