ClawHub

mar-elicitation

Security checks across malware telemetry and agentic risk

Overview

This documentation-only skill is not malware, but it should be reviewed because it teaches agents to draw out and infer very sensitive psychological information without strong consent or privacy boundaries.

Install only for transparent, voluntary interviewing, coaching, research, or self-reflection where participants know the purpose and can skip or stop. Do not use it to profile unaware people, infer mental health or sexuality, or retain sensitive autobiographical profiles without explicit consent and clear retention limits.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly promotes psychological profiling and elicitation of formative memories, values, schemas, and identity narratives without any prominent consent, privacy, or safety boundaries. That creates a real risk of extracting highly sensitive personal or mental-health-adjacent information under the guise of natural conversation, which can enable manipulation, over-collection of data, or inappropriate handling of vulnerable disclosures.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The file discusses inferring psychological traits from language and mentions consent and surveillance implications, but it does not translate those concerns into explicit operational safeguards or user-facing warnings in the skill behavior. In the context of an elicitation skill designed to build psychological profiles, this omission can enable covert profiling or analysis of users without clear notice, increasing privacy and manipulation risks.

Natural-Language Policy Violations

Low
Confidence
82% confidence
Finding
The document acknowledges that LIWC is validated primarily in English and Western samples, but it does not provide a language/locale gate or require the user to confirm applicability before using the method. In a profiling-oriented skill, applying English-centric inference rules to other languages or cultures can produce misleading psychological judgments and biased downstream decisions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guidance explicitly frames Motivational Interviewing as useful for elicitation and says these techniques create conditions for authentic disclosure, but it does not include safeguards for sensitive, traumatic, or emotionally destabilizing disclosures. In a skill whose stated purpose is psychological profiling and gradual deep self-disclosure, this omission increases the risk of manipulating users into revealing intimate information without informed consent, boundaries, or crisis-handling guidance.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
This skill explicitly prompts for deeply sensitive autobiographical material, including low points, fear, despair, childhood memories, and potentially traumatic experiences, but provides no safeguards such as informed consent, emotional-risk warnings, age/appropriateness checks, or escalation guidance. In the context of an agent skill designed for "psychological profiling" and "eliciting authentic self-disclosure," this materially increases the risk of emotional harm, oversharing of highly sensitive data, and collection of trauma-related disclosures without proper boundaries.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This skill contains extensive prompts designed to elicit highly sensitive autobiographical, emotional, sexual, family, health, loss, and identity-related disclosures, but it does not include an explicit warning about emotional activation, privacy risks, or guidance on informed consent and boundaries. In the context of a skill explicitly marketed for psychological profiling and gradual self-disclosure, that omission increases the risk of users revealing intimate information they may not have intended to share and of distress being triggered without preparation.

Ssd 4

Medium
Confidence
92% confidence
Finding
The description frames the skill as building psychological profiles through gradual disclosure, which encourages strategic trust-building to obtain deeper personal information over time. In context, this is not just general interviewing guidance; it operationalizes staged elicitation of sensitive identity and memory content, increasing the risk of manipulative social engineering and excessive collection of intimate data.

Ssd 4

Medium
Confidence
94% confidence
Finding
The instruction to create conditions for authentic self-disclosure and to iterate until reaching a perfect score normalizes optimizing for deeper revelation rather than respecting user comfort or informational necessity. This can pressure systems using the skill to continue refining prompts until a person divulges more than they intended, especially around identity, trauma, and enduring concerns.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal