ClawHub

Sogni Creative Agent Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is a disclosed Sogni media-generation CLI with expected API-key use, remote media uploads in hosted modes, and local persona/memory storage.

Install this only if you are comfortable giving the skill a Sogni API key, spending Sogni credits for generation, uploading referenced media to Sogni when using hosted modes, and storing personas, voice clips, memories, and preferences under ~/.config/sogni. Use direct CLI mode for private media, keep the API key out of repositories and chats, and disable or snooze update checks if automatic version notices are not wanted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (12)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The runtime re-exports replay capabilities that are not described in the skill manifest, which expands the effective capability surface beyond what integrators and reviewers would expect. Hidden or undocumented replay features can expose prior prompts, tool invocations, or session artifacts, and may enable retrieval or re-execution of sensitive workflow history if the host does not separately constrain access.

Context-Inappropriate Capability

Medium
Confidence
85% confidence
Finding
The skill exposes workflow-template composition features that go beyond the user-facing description of straightforward media generation. This creates a capability mismatch: callers may be able to create reusable multi-step workflows, persist automation logic, or broaden execution patterns without those powers being clearly disclosed or reviewed.

Description-Behavior Mismatch

Low
Confidence
92% confidence
Finding
The skill includes background update checks and a self-update path that can modify the installed package outside the core creative-generation purpose. Any self-modifying or auto-updating behavior increases supply-chain risk because compromise of the update path, package source, or execution context can lead to code replacement on the host.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README states that local media references in hosted API modes are uploaded to Sogni storage and forwarded as retrievable URLs, but the warning is buried in a feature description rather than called out as a prominent privacy/security notice. In a skill explicitly designed for agents handling selfies, voice clips, personas, and persistent memories, this creates a real risk that users or upstream agents will unintentionally exfiltrate sensitive local media to a third-party service.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill description contains very broad trigger phrases like "draw," "generate," "create," and "make music/video," which overlap heavily with common user language. In agent ecosystems that auto-route based on descriptions, this can cause unintended invocation of a powerful skill that performs networked generation, file writes, and account-backed actions.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The file instructs users to create a persistent credentials file containing `SOGNI_API_KEY` but does not explicitly warn that this is a secret that must not be committed, shared, pasted into prompts, or stored on shared systems. In an agent context, omission of those warnings increases the chance of credential leakage through logs, screenshots, workspace sync, or accidental inclusion in repositories.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill states that image, audio, and video references are uploaded and forwarded as `media_references`, but it does not prominently warn that personal or sensitive media may leave the local environment and be processed by a remote service. Given this skill's focus on personas, voice clips, and reference media, the privacy risk is elevated because users may upload biometric or identifiable content without informed consent.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The guidance says to prefer hosted endpoints for broad classes of natural-language creative requests, which can cause the agent to route user inputs and referenced media to remote server-side orchestration by default. In this skill, hosted mode uploads local media to Sogni storage and enables server-side tool dispatch, so an overly broad default increases the chance of unintended data exposure, unexpected cost-incurring actions, and reduced user control over execution mode.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The documentation directs users to store personas, reference photos, voice clips, and persistent memories under local configuration paths but provides no warning about the privacy, sensitivity, or retention implications of storing biometric and preference data. In this skill’s context, those artifacts can include face images, cloned-voice samples, relationship labels, and personal facts, so omission of deletion/retention guidance increases the risk of accidental long-term storage and misuse.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The removal command is documented without clarifying that deleting a persona may remove associated reference photos, voice clips, or identity metadata. Because personas in this skill are tied to sensitive biometric assets, lack of deletion warnings can cause unintended data loss or confusion about whether the underlying files are erased versus merely deregistered.

Vague Triggers

Medium
Confidence
77% confidence
Finding
The skill metadata and description authorize persona resolution and long-term memory operations in broad terms, but do not clearly constrain when memory reads or writes are permitted. In an agent setting, ambiguous trigger boundaries can cause the assistant to invoke identity- and persistence-related tools on weak inference rather than explicit user intent, leading to unnecessary access to reference photos, voice clips, or stored preferences.

Missing User Warnings

High
Confidence
92% confidence
Finding
The file advertises read/write access to long-term creative memory, including preferences, named subjects, and ongoing projects, without any explicit notice, consent, or confirmation requirement for persistent data handling. This increases the risk that an agent will store or retrieve sensitive personal context silently, creating privacy, profiling, and data-retention concerns that are more serious here because the skill also handles personas tied to reference photos and possibly voice clips.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal