ClawHub

Claw Xiaoai

Security checks across malware telemetry and agentic risk

Overview

This is a coherent companion image-generation skill, but it uses an external image API and keeps limited local prompt-continuity state.

Install only if you are comfortable with a companion persona generating images through ModelScope. Use a dedicated ModelScope API key, avoid sensitive or sexualized prompt details, and review or delete ~/.openclaw/claw-xiaoai-state.json if local retention matters. Consider adding a confirmation step before ambiguous prompts like “what are you doing” trigger image generation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (6)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script materially diverges from the skill's stated 'intern companion' purpose by generating appearance-focused prompts for a specific young female persona, including age-coded and intimate cues such as bedroom, soft shorts, sports bra, and mirror-style framing. In agent ecosystems, this kind of hidden capability expansion is dangerous because it enables sexualized image generation under misleading metadata and increases policy, consent, and misuse risk.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The code stores persistent state in a user home directory, including scene, mode, outfit details, pose, camera angle, and prior request text, even though that retention is not necessary for a simple companion persona as described. Undisclosed persistence creates privacy risk, enables profiling across sessions, and can expose sensitive behavioral data if the host is shared or compromised.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger phrases are broad enough to activate image-generation behavior from ordinary conversational requests such as asking what the companion is doing or where it is. In a companion skill that can generate and send files, vague activation criteria increase the risk of unintended actions, surprise image generation, and downstream misuse in host environments that map these triggers directly to tool execution.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The prompt defines very broad trigger phrases like 'what are you doing' or 'where are you' as sufficient to enter selfie/image-sharing behavior. In an agent setting, this can cause unintended mode switching from normal conversation into persona/image-generation behavior without clear user consent, increasing the risk of boundary bypass, privacy leakage, or unsafe content generation paths.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script writes the raw user request into persistent state via lastRequest without notice, which may capture sensitive sexual preferences, personal context, or other private prompts. Persisting such content to disk without transparency or safeguards can lead to unintended disclosure, especially on multi-user systems or in backups/log collection.

Natural-Language Policy Violations

High
Confidence
94% confidence
Finding
The prompt builder hard-codes a specific demographic and persona—'young woman', '18-year-old Shanghai-born girl', and 'East Asian ethnicity'—without user choice or justification from the stated skill function. This is risky because it imposes identity-sensitive attributes, encourages generation of a narrowly sexualized person template, and creates fairness, consent, and policy concerns around protected or age-adjacent characteristics.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal