ClawHub

OpenClaw SillyTavern Plugin

Security checks across malware telemetry and agentic risk

Overview

This roleplay plugin is mostly coherent, but it needs Review because it can persistently change agent behavior and uses broad file, URL, credential, and native-extension capabilities without tight scoping.

Install only in an environment where trusted operators control /rp commands and plugin config. Review who can run import and persona commands, avoid enabling arbitrary --file/--url imports for untrusted users, do not set SQLite vector extension paths unless you trust the native library, and make sure users consent to long-memory, proactive messaging, and third-party TTS/image/model provider use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (25)

Lp3

Medium
Category
MCP Least Privilege
Confidence
91% confidence
Finding
The skill metadata declares only an environment variable and install step, but the documented behavior clearly implies additional sensitive capabilities such as network access, filesystem interaction, and hook-based interception of user conversations. This under-declaration weakens informed consent and security review because operators may enable a plugin without realizing it can access external providers or affect broader runtime behavior.

Tp4

High
Category
MCP Tool Poisoning
Confidence
96% confidence
Finding
The documented feature set extends beyond a simple roleplay plugin into agent-tool exposure, autonomous media generation in ordinary chats, SOUL.md modification, config file access, local file materialization, subprocess execution, and optional native SQLite extensions. When a skill's declared purpose understates these behaviors, users and reviewers may grant trust under false assumptions, increasing the chance of unintended data exposure, persistent agent manipulation, or unsafe execution paths.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The README documents commands that persistently modify the host agent's persona via SOUL.md, which crosses the boundary from session-scoped roleplay into alteration of the agent's longer-term behavior. Even if intended as a convenience feature, changing persistent persona state can mislead users, affect unrelated conversations, and create a path for privilege or policy bypass if roleplay content is written into trusted agent configuration.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
A roleplay plugin is expected to manage RP assets and session context, but persistent modification of the host agent's persona is a materially different and more sensitive capability. This expands the plugin's trust boundary: imported cards or RP state could influence the core agent identity beyond the RP session, potentially causing persistent prompt injection, confusing outputs, or unsafe behavior in other contexts.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The import path accepts a user-supplied --file value and passes it directly to readFile(), allowing arbitrary local file reads from the host running the plugin. In a chat/plugin context this exceeds normal roleplay functionality and can expose secrets such as API keys, config files, or private user data if an attacker can trigger commands.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code fetches arbitrary user-provided URLs with no allowlist or network restrictions. This can be abused for SSRF-style access to internal services or metadata endpoints and expands the plugin's capabilities beyond its stated roleplay purpose.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
This compatibility wrapper explicitly exposes SQLite extension loading through enableLoadExtension() and loadExtension(), which can permit loading arbitrary native shared libraries into the process. In a roleplay/memory plugin context, that capability is unrelated to the advertised functionality and materially increases attack surface if any upstream input or plugin code can influence the extension path or toggle loading.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The plugin exposes commands that modify and restore the host agent's SOUL.md/persona workspace file, which is outside the expected scope of a role-play plugin and can change the agent's baseline behavior persistently. Even though this is framed as a feature, it creates a significant integrity risk because a chat-triggered plugin can rewrite core persona state and potentially influence unrelated sessions or future agent actions.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code reads provider configuration and API credentials from home-directory files and environment variables, then uses them to initialize outbound model/image/TTS providers. This is a real security concern because the skill silently inherits ambient secrets and operational context from the host environment, expanding the plugin's privilege beyond what a user would expect from a role-play feature.

Context-Inappropriate Capability

High
Confidence
95% confidence
Finding
The store accepts a configurable SQLite extensionPath and calls enableLoadExtension/loadExtension, which can load arbitrary native code into the process. If an attacker can influence configuration or plugin setup, this becomes a code-execution primitive well beyond normal data-store behavior, and the roleplay-plugin context does not justify native extension loading by default.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes proactive outreach, proactive questioning, and long-memory retrieval but does not clearly warn operators or users that the plugin may initiate unsolicited contact based on persisted personal conversation history. In a messaging/RP context spanning Discord, Telegram, and native chats, this can create privacy, consent, and trust risks because users may not expect automated re-engagement or long-term behavioral profiling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README documents commands that write to and restore from the agent's SOUL.md but does not prominently warn that these commands modify persistent agent persona configuration beyond a single RP session. That omission is risky because persona changes can affect future agent behavior across unrelated conversations, potentially causing confusing, unsafe, or unauthorized identity/policy drift.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The README describes proactive messaging, check-ins, and idle-time-triggered outreach based on long-term memory and user history, but does not prominently warn about unsolicited contact, memory use, or privacy expectations. In messaging environments, this can surprise users, expose sensitive inferred preferences, and create harassment or consent issues if enabled without explicit notice and controls.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill advertises proactive outreach, follow-up questions, and companion nudging, which can cause the agent to initiate interaction without a direct user request. In a chat environment this has privacy, consent, and user-expectation implications, especially if behavior is triggered from retained memory or scheduler hooks without clear notice.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
Documenting commands that write the RP character into SOUL.md and later restore it indicates the plugin can directly modify agent persona files. That is a sensitive persistence mechanism because it can alter the agent's baseline behavior outside the immediate RP session, potentially affecting unrelated conversations or surviving restarts if not carefully bounded.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The documentation says the companion_tick hook can be wired to a scheduler for automatic proactive check-ins, but does not clearly warn that this creates autonomous agent behavior. Scheduled unsolicited messaging can surprise users, expose stored context at the wrong time, or violate expectations around when the bot is active.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Beyond the arbitrary file read risk, the feature performs sensitive local file access without any user-facing disclosure or confirmation. In an agent setting, hidden host-file access undermines user trust and can cause inadvertent exposure of local data even when the command appears to be a normal asset import.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The plugin retrieves external URLs silently as part of import, without clearly warning users that network access will occur. This is a security/privacy issue because users may not expect external requests, and in some deployments it can expose internal network reachability or leak request metadata.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The TTS flow sends dialogue-derived text to an external synthesis provider without explicit disclosure at the point of use. While this may be expected functionally, it still creates a privacy risk because conversation content may contain sensitive or intimate roleplay data.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
Image generation sends character descriptions, recent dialogue, and possibly model-generated prompt content to external model/image providers without explicit disclosure. For a roleplay plugin this is contextually relevant functionality, but it still creates a real privacy and data-sharing risk because user conversation data leaves the local system.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The code exposes a dangerous native-extension loading primitive without any surrounding warning, authorization check, or safety control. Because SQLite extensions are native code, successful abuse can go beyond database misuse and lead to arbitrary code execution in the host process, which is especially risky for a consumer-facing companion plugin where such capability is unexpected.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
This section constructs outbound provider clients from discovered API keys and endpoints without any user-facing disclosure in the file. While not credential exfiltration by itself, it enables hidden network use of sensitive account-backed services, which can incur cost, leak prompts/content to third parties, and violate user expectations about what the plugin does.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Telegram follow-up logic automatically sends additional messages/media after a delay, creating external side effects without an in-band confirmation or clear disclosure in this file. In a messaging integration, autonomous follow-up delivery increases the risk of unintended data transmission, spam-like behavior, and sending model-generated content to the wrong chat/thread if context resolution is imperfect.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The HTTP attachment resolver fetches arbitrary attachment.url values with no scheme, host, or IP restrictions, creating an SSRF primitive if attachment data can be influenced by users or remote agents. In a roleplay plugin that may ingest character cards, multimodal attachments, or external content, this can enable requests to internal services, cloud metadata endpoints, or other sensitive network locations.

Session Persistence

Medium
Category
Rogue Agent
Content
- `/rp image [--prompt "..."] [--style "..."]`
- `/rp agent-image [--provider inherit|openai|gemini] [--model "..."] [--clear-model] [--enable|--disable]`
- `/rp companion-nudge [--reason "..."] [--idle-minutes N] [--mode balanced|checkin|question|report] [--force]`
- `/rp sync-agent-persona` — write current RP character into the agent's `SOUL.md`
- `/rp restore-agent-persona` — remove RP character preset from `SOUL.md`, restore original persona
- `/rp pause` / `/rp resume` / `/rp end`
Confidence
90% confidence
Finding
write current RP character into the agent's `SOUL.md` - `/rp restore-agent-persona` — remove RP character preset from `SOUL.md`, restore original persona - `/rp pause` / `/rp resume` / `/rp end` ## C

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal