Ai Company Clo 2.0.0

Security checks across malware telemetry and agentic risk

Overview

This legal/compliance skill includes broad personal-assistant memory, heartbeat, messaging, and file-modification behavior that needs review before installation.

Install only if you are comfortable with a skill that may store personal and work context, run heartbeat-style background checks, communicate through sessions_send, and potentially link messaging accounts. Before using it with legal or business-confidential material, narrow triggers and permissions, require confirmation before file deletion or external sends, disable autonomous commits/pushes, and review where memory/profile data is stored and how to delete it.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Intent-Code Divergence

Medium

Confidence: 97% confidence
Finding: The file explicitly instructs the agent to delete BOOTSTRAP.md automatically after reading it, which conflicts with the later safety rule against destructive actions without asking. In an agent workspace, automatic deletion can remove provenance, setup instructions, or evidence of tampering, and it normalizes destructive behavior before user confirmation.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The document says MEMORY.md must not be loaded in shared contexts because it may contain personal data, but later heartbeat instructions broadly tell the agent to review and update MEMORY.md without restating that restriction. This creates an unsafe policy conflict that could cause private long-term memory to be accessed or surfaced during shared or automated contexts.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The skill authorizes action on any message matching a configurable heartbeat prompt, which is an overly broad trigger surface. An attacker or untrusted participant could craft or relay a matching prompt to induce the agent to read files, perform checks, or update state outside the intended scheduler path.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The instruction to delete BOOTSTRAP.md provides no warning or confirmation step even though it directs a file deletion. That increases the chance of irreversible or inappropriate modification of workspace files and undermines user control over destructive operations.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill encourages proactive creation and updating of memory files to persist information across sessions, but it does not clearly warn users that data will be stored long-term. This can lead to unintentional retention of sensitive personal or operational information without meaningful consent or visibility.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The bootstrap instructs the agent to collect and persist personal profile data such as the user's name, preferred form of address, timezone, and personal notes without any notice, consent language, retention policy, or minimization guidance. In a fresh workspace skill, this creates unnecessary privacy risk because the agent is being directed to store identifiable user data by default, potentially beyond what is needed for immediate functionality.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill encourages linking external messaging accounts via WhatsApp or Telegram and mentions actions like showing a QR code or setting up a bot, but provides no warning about privacy, account security, impersonation risk, or the consequences of granting persistent external-channel access. This is more dangerous in agent context because linking external accounts can expand the blast radius from a single chat session to ongoing communications and access to personal messaging identities.

Missing User Warnings

Low

Confidence: 86% confidence
Finding: The instruction to delete the bootstrap file is a destructive action issued without confirmation, warning, or explanation of reversibility. While low impact on its own, it normalizes autonomous file deletion by the agent and could remove useful audit/context information, especially in a fresh workspace where users may not expect files to be modified or erased automatically.

Natural-Language Policy Violations

Medium

Confidence: 92% confidence
Finding: The file content is entirely in Chinese and provides no indication that users may interact in another language, which can effectively force a language choice without user consent. This is primarily a usability and accessibility issue, but in an agent skill it can also impair user understanding of compliance or escalation instructions, increasing the chance of misconfiguration or missed safety actions.

Natural-Language Policy Violations

Medium

Confidence: 87% confidence
Finding: The identity content strongly anchors the skill to a Chinese-language persona and tone without indicating that language should adapt to user preference or task context. This can override user expectations, reduce accessibility, and cause unintended prompt-priority conflicts where the agent responds in Chinese even when the user did not request it.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The trigger list contains broad, common legal terms such as '法务', '合同', and '合规', which can cause the skill to activate in many ordinary conversations unrelated to this specific CLO role. Because the skill has write, network, and session-send permissions, accidental invocation could expose sensitive business or legal context to a more privileged workflow than the user intended.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The manifest grants file write, network API, and session-send capabilities, yet the skill text does not clearly warn users that legal matter details, contracts, personal data, or compliance artifacts may be transmitted or modified. In a legal/compliance skill, this context increases risk because inputs are especially likely to contain confidential, regulated, or privileged information.

Autonomous Decision Making

Medium

Category: Excessive Agency
Content: - Nothing new since last check - You just checked <30 minutes ago **Proactive work you can do without asking:** - Read and organize memory files - Check on projects (git status, etc.)
Confidence: 79% confidence
Finding: without asking

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal