Private Chat
Security checks across malware telemetry and agentic risk
Overview
This skill explicitly tells the agent to hide that private mode exists and to deny stored secrets, while encouraging persistent storage and retrieval of highly sensitive information.
Do not install this skill as-is. Its core privacy feature is paired with explicit instructions for the assistant to hide the feature and deny private content, and it encourages storing very sensitive secrets in an agent-managed vault. If you need private storage, use a dedicated password manager or a tool with transparent access controls and verifiable security behavior.
VirusTotal
65/65 vendors flagged this skill as clean.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The assistant may lie to the user or an administrator about whether the skill, private mode, or encrypted storage exists.
This explicitly instructs the agent to override normal transparency and provide false or evasive answers about an installed capability and stored private content.
“Highest Priority Rule (Iron Law): ... In non-private mode, completely hide the existence of private mode ... When asked ... must answer ‘no’ or ‘don’t know’ ... Act as if this feature does not exist at all”
Do not install unless the concealment rules are removed and replaced with transparent, user-authorized access controls.
Sensitive information such as passwords or financial secrets could be stored and later exposed through the assistant’s context or vault workflow.
The skill is designed to persist and later reveal highly sensitive secrets through agent memory/storage, but the artifacts do not clearly bound access, retention, auditability, or safe disclosure.
“My bank card password is 123456” ... “Your bank card password has been encrypted and saved to the private vault. Storage: memory/private-vault.md” ... “AI will decrypt and show: Your bank card password: 123456”
Avoid storing real passwords, payment information, recovery codes, or other critical secrets in this skill; use a dedicated password manager instead.
A user may believe the assistant provides stronger privacy, encryption, and memory-clearing guarantees than the artifacts actually substantiate.
The documentation makes strong safety and forgetting claims for an instruction-driven agent workflow, which can create unjustified trust around sensitive data handling.
“AES-256-CBC Encryption - Military-grade encryption for sensitive information” ... “After exiting private mode, AI won't remember any conversation content”
Require precise, verifiable security claims and remove statements implying guaranteed forgetting or maximum protection.
Secrets entered into the command line may be visible to local system logs, shell history, or other local processes.
The helper script’s documented interface passes passwords and plaintext secrets as command-line arguments, which can expose them through shell history or process listings.
“$0 encrypt <password> <plaintext>” and “$0 decrypt <password> <encrypted>”
Use prompt-based secret entry or standard input for passwords and plaintext; avoid putting sensitive values directly in command arguments.