ClawHub
Back to skill

Security audit

persona-distiller

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local persona tool, but it handles private chat-derived profiles in an overbroad way and includes a Windows clipboard export path that can execute crafted persona text.

Install only if you deliberately want local chat-persona profiling. Use it only with consent from the people represented in the chats, keep extracted text and .persona.json files private, prefer explicit persona activation over automatic name-based use, inspect persona snippets before use, and avoid Windows clipboard export for any persona file you did not create and trust.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (14)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
try:
            import platform
            if platform.system() == "Windows":
                subprocess.run(
                    ["powershell", "-Command", f"Set-Clipboard -Value '{snippet}'"],
                    check=True, capture_output=True
                )
Confidence
97% confidence
Finding
subprocess.run( ["powershell", "-Command", f"Set-Clipboard -Value '{snippet}'"], check=True, capture_output=True )

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill documentation directs the agent to read local files, write persona JSON data, and invoke Python scripts via shell, but no permissions are declared. This creates a capability/consent gap: an agent may access sensitive chat logs and manipulate local files or execute commands without an explicit permission model or user awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The declared purpose focuses on persona distillation and usage, but the documented behavior also includes broader local data extraction, persona management, snippet export, clipboard interaction, and bulk JSON repair. This mismatch can hide materially different behaviors from users and reviewers, increasing the chance that sensitive data is processed or exposed in ways the user did not expect.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
The skill claims that chat logs are processed locally and never uploaded, but the file only references external Python scripts and provides no enforceable technical control proving that data cannot be transmitted. When handling private conversations, unsupported privacy assurances are risky because users may disclose sensitive content based on a guarantee that is not actually verified.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The export path launches an external system process for clipboard interaction, which expands the attack surface beyond simple persona activation. In isolation, spawning a clipboard helper is not always unsafe, but here it is coupled with untrusted snippet content and a shell-like command construction, making the external execution capability relevant and dangerous in context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script accepts a user-supplied --output path and writes JSON there without constraining the destination to the persona library directory. In an agent context, this enables arbitrary file write within the permissions of the running user, which can overwrite unrelated application files, configs, or sensitive data paths if the skill is invoked with attacker-controlled arguments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger conditions are broad enough that normal conversation about analyzing how someone speaks or using a person's tone could automatically activate the skill. Overbroad activation can cause the agent to process personal data or switch behavior unexpectedly without a clear, current user request or informed consent.

Vague Triggers

Medium
Confidence
90% confidence
Finding
Automatically applying a stored persona whenever a person's name is mentioned is ambiguous and can be triggered during ordinary discussion. In this skill's context, that is more dangerous because persona snippets are derived from private chat records, so accidental activation can leak private stylistic or behavioral traits into unrelated responses.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The guide instructs users to distill chat logs into persistent persona files but provides no safeguards around consent, minimization, retention, or handling of sensitive personal data. In this skill’s context, the output is specifically designed to model a real person’s traits and speech patterns, which increases privacy risk, profiling concerns, and misuse if private conversations are processed or stored without authorization.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document tells users to inject `system_prompt_snippet` into system or conversation context without warning that this gives the distilled persona high influence over model behavior. Because the snippet is derived from chat logs and may be manually edited, it can smuggle unsafe instructions, bias outputs, override intended safeguards, or cause impersonation-style behavior across downstream interactions.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill writes derived persona data from chat history to disk without any warning, consent flow, or disclosure that potentially sensitive personal data will be retained. Because the generated persona includes behavioral traits, topics, and a system prompt snippet based on private conversations, this creates a meaningful privacy risk if the machine is shared, backed up, or later accessed by other tools.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The script exports per-sender chat transcripts to individual text files on disk with no warning, consent check, redaction, or output protection. Because the skill is specifically designed to distill personality from private chat histories, the exported files may contain sensitive personal data, making unintended disclosure, retention, or secondary misuse more likely.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to automatically scan the entire persona directory and memorize all stored system prompt snippets exposes user-derived chat characteristics beyond the immediate task. Persistently loading private personas into memory increases the chance of unintended disclosure, cross-contamination between conversations, and use of sensitive traits when unrelated names or topics appear.

Ssd 3

Medium
Confidence
90% confidence
Finding
The persona builder stores distilled traits and generates a reusable system_prompt_snippet directly from chat-derived content without data-minimization safeguards. This can preserve sensitive behavioral signals, private topics, slang, and identifying expressions, increasing the chance of privacy leakage, unintended profiling, or prompt reuse that exposes personal information across future sessions.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.