ClawHub

Relive

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do what it says, but it needs review because it creates persistent digital replicas from highly sensitive chats, voice, and image data with weak consent, deletion, and third-party-processing controls.

Install only if you are comfortable with persistent local storage of imported chats, derived personality profiles, voice references, generated media, and future conversations. Use it only with clear authorization from the person represented or a lawful basis, review OpenAI and Volc Engine API settings before use, avoid non-consensual impersonation, and manually inspect/delete the character storage and USER.md entries when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The README explicitly instructs persisting cloned-character identifiers in a workspace-wide USER.md so the agent can recall them later without asking again. That broadens retention beyond the immediate task and creates unnecessary cross-context exposure of highly sensitive identity data, especially in a skill designed to process chat logs, voice samples, and likeness data of real people.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The privacy note claims data is used only for the current clone task, but the README elsewhere documents persistent runtime logs, vector indexes, and USER.md metadata retention. This contradiction is dangerous because it can mislead operators and users about actual data handling, undermining informed consent for extremely sensitive memorial, biometric, and conversational data.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to modify the global workspace USER.md with character metadata and routing instructions, extending its reach beyond the skill's own storage. Writing clone summaries and invocation rules into a global file creates a cross-skill persistence and disclosure channel for sensitive persona information.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The privacy statement claims per-character isolation and task-limited use, yet the workflow instructs the agent to place summaries and routing instructions in global USER.md. This inconsistency can mislead users about where sensitive clone-related data is stored and who or what can later access it.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The skill is designed to ingest highly sensitive personal artifacts to recreate a person's identity, and this configuration enables third-party remote video generation using an external API endpoint. That creates a real data exfiltration and privacy risk because clone-related prompts, likeness data, or generated outputs may be transmitted to an outside service, potentially without clear consent, minimization, or jurisdictional controls.

Missing User Warnings

High
Confidence
97% confidence
Finding
The quick-start encourages ingesting chat logs, personality descriptions, audio, and images to recreate a person, but does not prominently warn that this involves highly sensitive personal, biometric, and potentially posthumous identity data. In this skill context, the omission is more dangerous because the tool is specifically designed for digital impersonation and persistence of intimate communications.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The relive mode integration describes persistent logging and indexing of ongoing conversations, but the warning is not presented prominently at the point of use. Users may reasonably believe they are having an ephemeral conversation, when in fact each turn is retained and added to retrieval memory for future outputs.

Vague Triggers

Medium
Confidence
80% confidence
Finding
The trigger criteria are broad natural-language phrases like 'clone/replicate someone' or 'create an AI persona,' which can cause accidental activation during ordinary discussion. In a skill that ingests highly sensitive chats, audio, and likeness data, unintended activation materially raises the risk of collecting and storing private data without sufficient user intent.

Missing User Warnings

High
Confidence
95% confidence
Finding
The skill handles exceptionally sensitive inputs—private chat logs, voice samples, images, and generated likenesses—yet the description does not prominently warn users that these materials will be persistently stored and reused. Missing disclosure undermines informed consent and increases the chance that users expose intimate data without understanding retention and downstream use.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill documents optional video generation and polling/downloading behavior but does not clearly warn that user-provided likeness data may be sent to external video-generation services. This is risky because third-party processing can expose biometric and personal content beyond the local workspace.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The generate() method sends arbitrary user_message and system_prompt content to the external OpenAI API, but this file contains no consent, disclosure, redaction, or policy checks before transmitting potentially sensitive chat data. In a digital-twin skill that may process intimate conversations, this can expose highly personal data to a third-party processor without users clearly understanding that transfer.

Missing User Warnings

High
Confidence
97% confidence
Finding
extract_profile() concatenates up to 100 conversation messages and uploads them to an external LLM for personality/profile extraction, which materially increases privacy risk because the data is likely to include sensitive relationship history, identifiers, and emotional content. Given this skill's purpose of cloning deceased loved ones or important people, the conversation history is especially sensitive and the undisclosed third-party upload is more dangerous than in an ordinary chatbot.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code logs the full video-generation request content before sending it to the external API. Because this skill handles highly sensitive materials such as chat logs, images, and likeness data for digital-clone creation, those logs may expose private personal data, prompts, or URLs to operators, log processors, or anyone with log access.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This code persistently stores both user and assistant conversation turns in runtime memory by default, with no indication of consent, retention limits, or privacy controls at the storage point. In a digital-cloning skill that handles highly sensitive memorial and personality data, silent persistence increases the risk of unauthorized retention, secondary use, and exposure of intimate conversations.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code appends every user message and generated assistant response to a persistent JSONL file on disk with no consent check, retention control, access control visible in this file, or even directory creation/error handling around a privacy-sensitive path. In a digital-cloning skill that processes intimate chats, bereavement-related conversations, and personality reconstruction data, silent persistence materially increases privacy, compliance, and secondary-exposure risk if storage is later accessed, backed up, or reused unexpectedly.

Natural-Language Policy Violations

Medium
Confidence
86% confidence
Finding
The init file hard-codes a specific target identifier ("永仁") instead of requiring explicit user selection or consent. In a digital-cloning skill, preselecting a person to be replicated increases the risk of unauthorized impersonation, privacy violations, and cloning of a real individual without clear operator intent or approval.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill converts sensitive chat logs into a markdown file on disk under storage without any consent, warning, retention control, or access restriction. Because this skill processes highly intimate cloning data about real people, writing a human-readable export increases the chance of unintended disclosure through local access, backups, sync tools, or later reuse by other components.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code automatically downloads generated video content from a URL and persists it to disk in the target's cache directory without clear user disclosure or an opt-in save step. In a digital-cloning context, these videos may contain highly sensitive likeness and voice data, so silent persistence materially increases privacy and misuse risks if the filesystem, logs, backups, or shared environment are accessible.

Ssd 3

Medium
Confidence
96% confidence
Finding
The instruction to add characters to USER.md so the agent can recall them without asking again directs long-term reuse of personal data in a global workspace location. That bypasses contextual consent and increases the chance of unauthorized reuse, especially when the stored subjects are real individuals reconstructed from sensitive source material.

Ssd 3

High
Confidence
98% confidence
Finding
The README instructs the main agent to persist all subsequent dialogue for a character and index it for RAG, creating an accumulating dossier of private interactions. In a digital-clone skill, this materially increases privacy, impersonation, and misuse risk because generated and user-authored content are retained and later resurfaced as memory.

Ssd 3

High
Confidence
98% confidence
Finding
The synthesize flow explicitly states that each user message is written to runtime logs and the RAG index. This is dangerous because it silently transforms live conversation into durable memory, which may later be used to generate additional outputs or expose intimate information beyond the user's immediate expectation.

Ssd 3

Medium
Confidence
93% confidence
Finding
The workflow directs the agent to ingest private chat logs, derive a personality profile, and persist those materials and outputs for future reuse. That creates a durable repository of sensitive interpersonal content and inferred traits, increasing privacy and misuse risks if the workspace is later accessed by other agents or users.

Ssd 3

High
Confidence
96% confidence
Finding
The character-creation flow explicitly instructs extraction, summarization, and storage of sensitive material from chat logs and voice references, including derived persona traits and transcripts. In the context of digital cloning, these derived artifacts can reveal intimate behavioral patterns and biometric-like identity information, making the privacy impact especially severe.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill mandates ongoing persistence of each conversation turn and retrieval context under the character directory. Continuous logging compounds the privacy risk by building an expanding dossier of user interactions and potentially sensitive emotional or personal disclosures over time.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal