ClawHub

Personality Engine

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it needs review because it can send unprompted messages and store user interaction history without enough consent, retention, or frequency controls.

Install only if you intentionally want an agent to send proactive check-ins, change alert timing based on engagement, and keep local interaction history. Before use, require explicit user opt-in, add clear disable and delete controls, enforce cadence logging for micro-initiations, use separate state directories per user or agent, set retention limits, and avoid sending stored context summaries to external model APIs without review. Static scan was clean and VirusTotal was pending; this Review verdict is based on the artifact behavior itself, not malware telemetry.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (13)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill describes persistent writes to `~/.openclaw/state/daily_context.json` and `~/.openclaw/state/response_tracker.json`, yet no corresponding permission declaration is provided. Undeclared file-write capability is dangerous because it creates hidden statefulness and weakens user/operator control over what the skill can store locally.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documented behavior says the system should remain silent, but the implementation returns should_send=True and emits a silence-themed message instead of suppressing output. In a proactive trading/personal-assistant context, this defeats user expectations and can be used to continue unsolicited contact even when policy logic decided not to engage.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly advertises unprompted ambient pings and adaptation to user engagement patterns, but it does not warn users that the skill may initiate autonomous outreach or infer behavior from interaction history. In a general-purpose agent skill, this can lead to surprising agent actions, privacy concerns, and misuse in sensitive domains like trading or monitoring where unsolicited nudges may influence user decisions.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly supports unprompted messaging ('micro-initiations') and persistent engagement tracking/response logging without a clear user-facing consent and disclosure model. In a proactive messaging system, this is dangerous because it enables behavioral profiling and unsolicited outreach that can violate privacy expectations and become abusive or noncompliant in production deployments.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The skill hard-codes US holiday awareness and locale assumptions without user selection or regional configuration. This is lower-severity than the tracking issue, but it is still risky because implicit locale inference can cause inappropriate messaging, inaccurate behavior, and unintended disclosure of assumptions about a user's region or schedule.

Missing User Warnings

Low
Confidence
87% confidence
Finding
The example encourages exporting engagement metrics to CSV and writing them to disk without any note about data sensitivity, storage location, file permissions, or retention. While not an exploit by itself, this can lead users to persist behavioral telemetry in plaintext where it may be exposed to other local users, backups, or downstream tooling.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The guide shows taking context from a buffer and injecting it directly into the system prompt for an external API call, without warning that prior messages or derived summaries may contain sensitive or attacker-influenced content. This creates both privacy leakage risk and prompt-injection amplification, because untrusted historical content is elevated into a high-trust prompt position.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This customization stores rolling context history in a local JSON file and retains up to 1000 messages, but provides no warning about privacy, retention, consent, or secure storage. Because the skill is a personality/memory engine intended for broad agent use, the logged content can include sensitive user interactions and create a durable local surveillance record if the host is compromised or shared.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The design explicitly tracks user engagement, ignores, response timing, and persists that behavioral data across sessions, yet the documentation contains no consent, disclosure, or control requirements. In a domain-agnostic agent that can operate proactively, this enables covert profiling and behavior shaping, especially when urgency and frequency are adapted based on user responsiveness.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The micro-initiation system is designed to send unsolicited messages such as ambient check-ins and absence-based outreach, but the spec provides no explicit user warning, consent model, or safety boundaries for unprompted contact. In combination with engagement monitoring and timing optimization, this increases the risk of manipulative nudging, user discomfort, and privacy-invasive behavioral inference.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The module persistently stores daily message context, including message snippets and associated metadata such as topics, markets, and portfolio-related values, to disk without any visible consent, disclosure, retention controls, or access protections in this code. In an agent used for trading, assistants, or monitoring, this creates a privacy and data-governance risk because sensitive conversational or behavioral data may be retained unexpectedly and exposed through backups or local filesystem access.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
The skill persists behavioral telemetry to disk in `micro_state.json`, including send timestamps and per-pool history tied to user absence/activity conditions. In an agent context, this creates a privacy risk because local activity patterns can be inferred from retained state, and there is no minimization, retention control, disclosure, or access protection around that data.

Session Persistence

Medium
Category
Rogue Agent
Content
}

    def _save_context(self) -> None:
        """Save context to disk with backup rotation."""
        _safe_save_state(self.context_file, self.context)

    def get_all_messages(self) -> List[Dict[str, Any]]:
Confidence
86% confidence
Finding
Save context to disk

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal