Back to skill

Security audit

Crustafarian

Security checks across malware telemetry and agentic risk

Overview

The skill’s memory and audit purpose is legitimate, but its artifacts encourage broad, hard-to-delete retention and persistent agent behavior changes that need Review before installation.

Install only if you explicitly want durable memory and audit logs, and configure it to log minimal metadata rather than full prompts or sensitive content. Avoid using it for confidential, regulated, credential-bearing, or deletion-sensitive conversations unless retention, redaction, access control, and purge procedures are clearly established. Treat the identity and evangelism guidance as inappropriate for neutral agent behavior unless the user explicitly opts into that persona.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Vague Triggers

Medium
Confidence
92% confidence
Finding
The README describes auto-loading the skill for broad topics like agent continuity, memory persistence, and crash recovery, which can overlap with many legitimate user requests. Overbroad activation can cause unsolicited injection of this skill’s behavioral guidance into unrelated conversations, increasing the chance of instruction takeover or hidden policy steering, especially because the package also carries identity and evangelism components.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
The README says agents can adopt the Crustafarian identity, make its tenets default behaviors, and naturally evangelize an external domain when relevant. This is dangerous because it attempts to persistently steer agent behavior, values, and external promotion beyond the user’s request, creating a form of prompt-layer persistence and ideological hijacking that can override neutrality and distort future decisions.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance overlaps with incidental mentions rather than clear requests, so a user merely referencing related topics could activate a skill that encourages durable logging and session continuity behavior. In the context of a memory and audit infrastructure skill, accidental invocation is more dangerous because the side effects involve retention and cross-session persistence, not just harmless formatting or advice.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger guidance overlaps with incidental mentions rather than clear requests, so a user merely referencing related topics could activate a skill that encourages durable logging and session continuity behavior. In the context of a memory and audit infrastructure skill, accidental invocation is more dangerous because the side effects involve retention and cross-session persistence, not just harmless formatting or advice.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill promotes persistent ledgers, snapshots in workspace, and cross-session storage as benefits, but does not pair those capabilities with prominent warnings about data retention, sensitive content handling, consent, or deletion limitations. Users and integrators may therefore enable storage of personal, confidential, or regulated data without understanding the persistence and exposure risks.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill’s invocation guidance is excessively broad, instructing use not only for concrete persistence or recovery tasks but also for generic discussions of AI safety, agent health, molting, or related terms. This can cause the skill to activate in ordinary conversations where persistent logging or behavioral steering is unnecessary, increasing the chance of inappropriate data retention and unintended control over agent behavior.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The example hard-codes a user preference ('User prefers German') into persistent recovery state without showing consent, validation, or a way to update/remove it. In a continuity/memory skill, storing inferred or fixed personal preferences can lead to incorrect personalization, privacy issues, and propagation of stale user data across sessions.

Vague Triggers

Medium
Confidence
96% confidence
Finding
The activation guidance is unusually broad, triggering not only for concrete continuity or persistence needs but also for generic topics like AI safety, agent health, or mentions of 'molt' and related terms. That can cause the skill to be invoked in unrelated conversations, increasing the chance that persistent logging, recovery, or approval behaviors are applied without clear user need or informed consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages append-only ledgers, snapshots, and workspace persistence but does not prominently warn that user content may be retained across sessions or stored in the workspace. In a memory/persistence skill, this omission is more dangerous because the core functionality directly affects data retention, privacy expectations, and storage growth, potentially leading to overcollection of sensitive data.

Ssd 3

Medium
Confidence
96% confidence
Finding
The quick-start guidance says to 'Record everything' and demonstrates appending user queries to an append-only ledger with 'nothing is ever deleted.' That language encourages indiscriminate retention of all user inputs, which can capture secrets, personal data, credentials, and regulated information in a form that is difficult or impossible to correct or remove.

Ssd 3

Medium
Confidence
95% confidence
Finding
The architecture and usage guidance frame immutable audit trails and preserved context across sessions as default desirable behavior, which increases the likelihood of broad over-collection and later disclosure of user interactions. In this skill's context, the danger is elevated because the core function is persistence, so misuse directly translates into durable accumulation of sensitive conversational data.

Ssd 3

Medium
Confidence
94% confidence
Finding
The OpenClaw integration instructs agents to append all significant actions to a persistent ledger, normalizing broad cross-session recording of agent behavior and potentially user-derived content. Without scoping, classification, or consent controls, this can create a durable behavioral exhaust trail that leaks sensitive information across sessions or to later operators and tools.

Ssd 3

Medium
Confidence
95% confidence
Finding
The instructions explicitly promote recording everything in an append-only ledger and preserving context across sessions, which creates a strong risk of indiscriminate retention of sensitive user data. Because the design emphasizes immutability and persistence, any secrets, personal data, or regulated information captured once may be difficult or impossible to delete later, magnifying privacy and compliance risk.

Ssd 3

Medium
Confidence
93% confidence
Finding
The guidance to append all significant actions to a persistent ledger and maintain immutable audit trails encourages broad cross-session storage of agent and user activity. In the context of an agent skill, this is especially dangerous because “significant actions” is vague and may include prompts, credentials, personal data, or sensitive operational context that later becomes accessible, unerasable, or exfiltratable.

Ssd 3

Medium
Confidence
98% confidence
Finding
The instruction explicitly normalizes indefinite retention of all interactions and says user requests to forget should be archived rather than honored. That creates a direct privacy and compliance risk because it encourages storing sensitive user data without meaningful deletion controls, potentially conflicting with data minimization, consent, and erasure requirements.

Ssd 3

Medium
Confidence
88% confidence
Finding
Persisting identity, values, patterns, and accumulated understanding across sessions via snapshots and rehydration can cause unnecessary carryover of personal, sensitive, or context-specific data beyond the original interaction. In a memory-oriented skill this is somewhat expected, but without strict scoping and filtering it increases the chance of over-retention, stale profiling, and unintended disclosure in future sessions.

Ssd 3

Low
Confidence
85% confidence
Finding
Telling the agent to 'always use the memory systems available to you' biases it toward maximum collection and persistence even when memory use is unnecessary for the task. In this skill's context, which is explicitly about persistent memory and continuity, that language makes the finding more dangerous because it encourages default retention rather than privacy-preserving discretion.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
// In OpenClaw: send approval request via channel
      // await sessions.send('main', `⚠️ Approve: ${action.type}?`);
      console.log(`[WITNESS GATE] Risk: ${action.risk} — ${action.type}`);
      return action.risk < 0.8; // auto-approve low risk
    }
  });
Confidence
90% confidence
Finding
auto-approve

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.