Anima Aios

Security checks across malware telemetry and agentic risk

Overview

This memory-growth skill is broadly purpose-aligned, but it needs Review because it can persist and transform sensitive agent data, use external LLM endpoints, and scan or write across agents despite inconsistent disclosures.

Install only if you are comfortable with durable local memory storage and possible processing of agent sessions, memory files, learning logs, message queues, and derived profiles. In shared or multi-agent environments, use a private ANIMA_FACTS_BASE, verify team_mode and ANIMA_TEAM_MODE are off, inspect LLM base_url/api_key settings, avoid remote LLM providers for sensitive data, and review ~/.anima plus facts_base for stored data and deletion needs.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Behavioral ASTexec() Call, eval() Call, Dynamic Import
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (35)

Dynamic import via import()

Medium

Category: Dangerous Code Execution
Content: try: from ..config.path_config import get_config except ImportError: import sys as _s; _s.path.insert(0, str(__import__('pathlib').Path(__file__).parent.parent / 'config')); from path_config import get_config facts_base = str(get_config().facts_base) self.facts_base = Path(facts_base) self.agent_dir = self.facts_base / agent_name
Confidence: 82% confidence
Finding: import sys as _s; _s.path.insert(0, str(__import__('pathlib').Path(__file__).parent.parent / 'config')); from path_config import get_config

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The documentation states that all data processing is local and that there are no network requests, but elsewhere the skill explicitly supports configurable LLM providers, including potentially remote ones. This mismatch can mislead users into enabling processing under incorrect privacy assumptions, causing unintended transmission of memory or cognition data to external services.

Intent-Code Divergence

Medium

Confidence: 84% confidence
Finding: The script usage section claims all scripts are local and perform no network calls, while the broader documentation allows remote LLM providers for classification, deduplication, and quality assessment. Even if the scripts themselves do not initiate requests directly, the overall claim is materially misleading because the installed skill may still exfiltrate user data through configured providers.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: _get_current_agent is documented as resolving the current agent identity, but its fallback logic scans FACTS_BASE and returns the name of any agent directory containing exp_history.jsonl. That can misattribute identity based on unrelated tenants' data and creates cross-agent information disclosure and trust-boundary confusion in a multi-agent environment.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The recover flow is presented as self-check/self-repair, but it also invokes _generate_all_profiles, which performs a broad cross-agent write operation not clearly disclosed at the point of repair. Users invoking repair may not expect processing of all agents' data, so this is a transparency and scope-expansion issue with privacy implications.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: _generate_all_profiles iterates over every directory under FACTS_BASE and generates or updates cognitive profiles for each agent. Bulk processing across all agents exceeds the apparent scope of a local diagnostic tool and can access or modify data belonging to other tenants, increasing privacy and isolation risk.

Context-Inappropriate Capability

Medium

Confidence: 86% confidence
Finding: The team-ranking feature enumerates all agent directories and aggregates EXP across them, expanding access beyond the documented per-agent memory and profile tooling. In a multi-user environment this creates an unauthorized information-disclosure surface by exposing other agents' activity and progression metadata without access control.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The script comment states there are no remote operations, but it runs pip to install watchdog from external package repositories. This is security-relevant because it introduces network access and third-party code execution during installation, which expands supply-chain risk and can mislead users or reviewers about the trust boundary of the installer.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The skill advertises silent automatic scanning of another tool's `.learnings/` directory and extraction of records without a prominent warning in that feature section. Silent ingestion of another application's local artifacts creates a consent and data-minimization risk, especially when those records may contain sensitive prompts, outputs, or operational details.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: recover triggers _generate_all_profiles automatically once repair starts, without a dedicated warning at the operation site that it will write across multiple agent directories. In non-interactive modes such as --yes or --auto, this enables silent bulk writes beyond what a user may reasonably expect from 'doctor --fix'.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: sync_memory_to_facts copies workspace memory content into persistent facts storage and creates new files, but it does not warn that user-authored content will be duplicated into another retention domain. This can surprise users, increase data persistence, and replicate sensitive content without minimization or consent at write time.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The memory-writing tool persistently stores arbitrary user content in multiple locations without explicit disclosure or consent at write time. In a memory skill, that context makes retention expected, but the multi-location persistence increases privacy risk because users may unknowingly submit sensitive data that is duplicated across stores.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: Search queries are included in EXP history details, creating secondary retention of potentially sensitive user intents or disclosures without clear notice. Queries often contain personal or confidential terms, so logging them outside the primary search workflow broadens privacy exposure.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The code automatically scans ~/.openclaw workspace memory files, including MEMORY.md and markdown notes, to infer reflective behavior without any visible consent, warning, or opt-in. In an agent skill context, silent cross-workspace inspection is more dangerous because memory files may contain sensitive operational notes, personal reflections, or secrets unrelated to scoring.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The collaboration score reads message queue files from inbox/outbox directories without warning or consent, which can expose communication metadata and potentially message contents through future changes or logging. In this skill context, silent monitoring of inter-agent communications increases privacy risk and may reveal sensitive organizational relationships or task flows.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This engine sends episodic memory content, distilled knowledge, and duplicate-comparison material to a configurable external LLM endpoint without any consent gate, redaction, or visible disclosure in the code path. In a memory-distillation component, that context makes the issue more serious because the data likely contains sensitive internal notes, decisions, and operational details that users may reasonably expect to remain local.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Learning entries are persisted automatically to disk, including free-form `summary`, `details`, `suggested_action`, and related metadata, without any consent gate, disclosure, or apparent data minimization. In an agent context, those fields may contain prompts, file paths, error contents, or user-derived sensitive information, creating a privacy and data-retention risk if secrets or personal data are logged unintentionally.

Missing User Warnings

Medium

Confidence: 84% confidence
Finding: User feedback, including captured `content` and `context.original_text`, is automatically written to `~/.anima/data/learning_signals/signals.json` without consent, minimization, or sanitization. Feedback can easily contain sensitive data, secrets, or private prompts, so local persistence creates a confidentiality and privacy risk, especially on shared systems or in environments with weak file protections.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The watcher silently scans a sibling .learnings directory and imports data into the agent's facts store without user-facing notice, consent, or policy checks. In an agent/memory system, this creates a covert data-ingestion path that can capture sensitive notes or adversarial content from another tool and persist it into long-term memory.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: When an LLM client is configured, the engine sends combined knowledge content derived from stored entries directly to an external model via `self.llm.call(...)`. Because the file provides no consent, disclosure, redaction, or policy gating, potentially sensitive internal knowledge may be exfiltrated to a third-party service unexpectedly; in an agent memory/knowledge component, that context makes the issue more concerning than a generic summarizer.

Missing User Warnings

Medium

Confidence: 83% confidence
Finding: The engine persists reflection history containing task IDs, context-derived content, outcomes, errors, and improvement actions to a predictable local file path without consent, disclosure, retention controls, or access protection. If reflections include sensitive task data, secrets, internal errors, or user content, this can lead to unintended local data exposure and privacy leakage.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The examples explicitly describe automatic writes to dated memory files and background synchronization to another storage layer, but they do not disclose retention, visibility, consent, or where the data is stored. In an agent skill, this can mislead users into providing sensitive information under the assumption it is ephemeral chat content, when it is actually persisted and propagated automatically.

Missing User Warnings

Low

Confidence: 82% confidence
Finding: The cognitive profile and team leaderboard examples display potentially sensitive personal or performance-related data without any notice about who can view it, how it is derived, or whether sharing is opt-in. This creates privacy and workplace-sensitivity risk because users may not realize that profiling and ranking information could be exposed to other users or team members.

Missing User Warnings

Medium

Confidence: 88% confidence
Finding: The documentation explicitly states that the skill runs automatically, watches agent-written memory files, performs scheduled processing, and modifies stored memory data, but it does not warn users that background writes and transformations will occur. In an agent skill context, undisclosed autonomous filesystem activity and scheduled mutation of memory stores can affect user data integrity, privacy expectations, and auditability, making this more dangerous than ordinary product documentation omissions.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The configuration and environment variable sections describe storage locations, monitored directories, and persistence paths, but they do not clearly warn that user or agent data will be stored long-term and potentially monitored on the filesystem. This omission can mislead users about the privacy and persistence implications of installation, especially because the skill appears to auto-detect directories and run with little manual configuration.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Overview

SkillSpector

Dynamic import via __import__()

Intent-Code Divergence

Intent-Code Divergence

Intent-Code Divergence

Intent-Code Divergence

Context-Inappropriate Capability

Context-Inappropriate Capability

Intent-Code Divergence

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

Missing User Warnings

VirusTotal

Dynamic import via import()