ClawHub

Roleplay

Security checks across malware telemetry and agentic risk

Overview

This is a roleplay skill that stores local character and session data as advertised, with privacy considerations but no evidence of hidden or malicious behavior.

Install only if you want roleplay state saved locally across sessions. Avoid putting highly sensitive details into sessions unless you are comfortable with them being retained under ~/roleplay/, review or delete that folder when needed, deactivate personas when finished, and do not rely on simulated therapy, medical, crisis, or professional scenarios as real emergency or clinical support.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The activation model relies on natural-language phrases like "activate [name]" plus a persistent active-character marker restored at session start, which can cause unintended persona switching from ordinary conversation, quoted text, or indirect prompts. In this skill, accidental activation is more dangerous because the persona persists across turns and sessions, increasing the chance of confusing roleplay with normal assistant behavior and affecting later responses without explicit user consent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill persistently stores character data, session logs, feedback, and an active-character marker under `~/roleplay/`, but the user-facing description does not warn that their roleplay content will be retained across sessions. This creates a privacy and consent risk, especially because roleplay may include sensitive professional, emotional, or personal material and the stored state is explicitly reused later.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs the agent to update a persistent character file immediately and make changes persist, but it does not require explicit user notice or confirmation before modifying local files. This can lead to unintended storage of sensitive or private roleplay data and surprises users who may not realize the skill performs durable filesystem writes.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The archiving instructions direct the agent to move files into a local archive directory without warning the user that files will be relocated and retained. Silent file movement can interfere with user expectations, make data harder to find, and preserve potentially sensitive conversational or persona data longer than intended.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly instructs persistent retention and consolidation of session logs, character profiles, and accumulated learnings, but provides no notice, consent, retention boundary, or deletion controls for user data. In a roleplay skill, these records can include sensitive behavioral patterns, preferences, frustrations, and progress over time, creating a privacy risk through undisclosed profiling and long-term memory storage.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs saving session summaries to a persistent path in the user's home directory without clear consent or warning. Because roleplay sessions can contain sensitive personal, emotional, or behavioral information, silent persistence creates a privacy risk and may expose data to later unauthorized access or unintended retention.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill directs the system to track cross-session behavioral patterns and store them in a character file without any privacy notice or consent flow. This creates a persistent behavioral profile of the user, which is especially sensitive in a coaching or roleplay context because it may reveal emotional tendencies, weaknesses, and recurring interpersonal patterns over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal