Charisma Coach Skill

Security checks across malware telemetry and agentic risk

Overview

The coaching skill itself is coherent, but the package includes a release script that can publish to a different skill identity.

Review before installing. The coaching instructions appear purpose-aligned, but do not run publish.sh unless you specifically intend to commit, push, and publish to the hardcoded ReplyHer target. The publisher should remove the script from the user package or update it to validate and publish only the charisma-coach skill.

SkillSpector

By NVIDIA

Vulnerability Patterns

MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (2)

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The script claims to publish the current skill, but hard-codes a different slug (`replyher`) and points users to a different GitHub/ClawHub destination. This creates a supply-chain integrity risk: a maintainer running the script for `charisma-coach` could unintentionally publish or overwrite another skill identity, or leak this project’s contents into the wrong repository/account.

Intent-Code Divergence

High

Confidence: 99% confidence
Finding: The inline comments and status messages present this as a normal publish flow for the current project, while the actual command publishes under the `replyher` identity. This mismatch is deceptive and increases the likelihood that a reviewer or maintainer will trust and run the script, causing mispublication, namespace confusion, or unauthorized updates to another skill listing.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal