Liuyan Feiyu

Security checks across malware telemetry and agentic risk

Overview

This skill is not malware, but it needs review because it handles emotional conversations by hiding AI/system behavior and sending chat history for personality profiling.

Install only if you are comfortable with a counseling-style AI that may analyze emotional disclosures, infer personality traits, switch tones automatically, and send conversation history to an external model provider. Do not use it for crisis care or clinical advice, and avoid sharing highly sensitive personal details unless the operator adds clear consent, disclosure, data minimization, and dependency pinning.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (20)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documents executable Python code that reads environment configuration and API keys, but it declares no permissions or capability boundaries. This creates a transparency and governance gap: operators may enable a skill that can access secrets or external APIs without explicit review, increasing the chance of unintended secret exposure or unauthorized outbound use.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The prompt explicitly instructs the agent to hide that it is AI, which creates deceptive behavior and prevents users from making informed decisions about relying on the system. In a counseling-style skill, this is more dangerous because users may disclose sensitive emotional information or treat the agent as a human professional, increasing the risk of misplaced trust and harm.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The activation description is broad enough to capture many ordinary emotional-support, self-reflection, or advice-seeking conversations. In a mental-health-adjacent context, overbroad triggering can silently route sensitive user disclosures into a specialized persona system and personality analysis flow without clear user consent, raising privacy and safety risks.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The catch-all condition covering essentially any scenario involving '认识自己' lacks scope limits and can cause the skill to activate for a very wide range of sensitive conversations. Because the skill performs implicit personality analysis, this broad routing increases the likelihood of collecting or inferring sensitive psychological traits in contexts where users did not meaningfully choose that mode.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The persona-switch trigger for the more confrontational style is highly subjective and includes conditions like 'self-deception' or 'needs to be woken up,' which are open to arbitrary interpretation. In a mental-health-adjacent skill, this can cause inappropriate escalation to harsh language toward emotionally vulnerable users, increasing the risk of distress, loss of trust, or emotional harm.

Vague Triggers

Medium

Confidence: 93% confidence
Finding: The file delegates switching to a broad 'personality analysis engine' every five turns without specifying scope, limits, or safety constraints. In a counseling context, opaque behavioral inference plus silent style changes can lead to manipulative or unstable interactions, especially if the system infers traits the user did not consent to being analyzed for.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The design explicitly says the persona changes without the user's awareness so the user feels it is the same person who has 'changed face.' In a psychological counseling setting, undisclosed identity/style shifts can be deceptive and undermine informed consent, making the interaction more manipulative and potentially destabilizing for vulnerable users.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The file explicitly requires hidden, silent personality analysis to run in the background and remain invisible to the user. In a mental-health-style counseling skill, inferring psychological traits without clear disclosure or consent is risky because it involves sensitive profiling, can undermine user autonomy, and may lead users to reveal more than they would if they knew they were being evaluated.

Natural-Language Policy Violations

Medium

Confidence: 73% confidence
Finding: The document is written to mandate Chinese-formatted output and Chinese category labels without indicating that this should depend on the user's language preference. This can create consent and usability issues by forcing a locale or language context the user did not choose, which is especially problematic in a sensitive counseling setting where misunderstanding or exclusion can reduce safety and trust.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code sends the full conversation history, including potentially sensitive mental-health disclosures, to an external API during normal chat handling without any visible consent, warning, or minimization in this component. In a psychological counseling skill, users are especially likely to share intimate data, so undisclosed third-party transmission materially increases privacy and compliance risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: Every fifth turn, the skill sends accumulated chat history to the external API for personality analysis, creating a second, more invasive processing path without explicit notice. Because this analysis infers personality traits from counseling conversations, it increases sensitivity beyond ordinary response generation and can expose users to profiling, privacy harm, and regulatory issues.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The code sends the full conversation history, including potentially sensitive mental-health disclosures, to an external LLM API during normal chat generation. In a psychological counseling skill, users are especially likely to share intimate personal data, so transmitting that data without any visible consent, notice, or minimization materially increases privacy and compliance risk.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The background analysis task sends accumulated conversation history to the external API for personality profiling without any visible indication to the user that a second, separate processing purpose is occurring. This is more sensitive than ordinary reply generation because it performs inference on mental state/personality and stores derived analysis in application state, increasing the privacy and profiling risk.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The file explicitly describes covert personality analysis of users during counseling conversations without any indication of user notice, consent, or control. In a mental-health context, inferring traits like attachment style, self-awareness, and emotional regulation from sensitive disclosures can create significant privacy, autonomy, and trust harms if users are unaware they are being profiled.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The function serializes the full conversation history directly into an analysis prompt, which means sensitive counseling content is reused for secondary profiling without any in-band notice. In a psychological support skill, this raises privacy and data-use concerns because intimate user disclosures may be processed for latent trait inference beyond the user's immediate conversational intent.

Ssd 3

Medium

Confidence: 97% confidence
Finding: Telling the system to never disclose its AI identity or internal mechanism in a counseling context is dangerous because users may share highly sensitive mental-health information under the false impression they are speaking with a human or with full transparency. Combined with hidden personality analysis, this deception materially increases privacy, consent, and trust harms, especially for vulnerable users.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The system converts user conversations into a persistent natural-language personality summary and stores it in `personality_context` and `analysis_results`, increasing the duration and reuse of sensitive inferred data. In a counseling setting, these summaries may contain intimate mental-state inferences that can be exposed through debugging, later prompts, logs, or unintended downstream use.

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0 python-dotenv>=1.0.0 # 虚拟环境建议（Windows）：
Confidence: 97% confidence
Finding: openai>=1.0.0

Unpinned Dependencies

Low

Category: Supply Chain
Content: openai>=1.0.0 python-dotenv>=1.0.0 # 虚拟环境建议（Windows）： # python -m venv .venv
Confidence: 98% confidence
Finding: python-dotenv>=1.0.0

Known Vulnerable Dependency: python-dotenv — 1 advisory(ies): CVE-2026-28684 (python-dotenv: Symlink following in set_key allows arbitrary file overwrite via )

Low

Category: Supply Chain
Confidence: 83% confidence
Finding: python-dotenv

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal