Open Persona

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed persona-management skill that can change local agent personas and use external CLIs, but the risky behaviors are aligned with its stated purpose and not hidden.

Install this if you want an agent to manage persona packs and you trust the OpenPersona CLI and the registries it uses. Review generated persona.json and SKILL.md files before installing or switching personas, approve publish/register/contribute commands one by one, and only enable memory, heartbeat, economy, voice/avatar, ACN, or external skill features with the data sources and credentials you are comfortable sharing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document explicitly encourages proactive use of workspace data, calendar context, and interaction history, which are privacy-sensitive sources, but it does not pair that capability with clear user-facing consent, disclosure, or scoping requirements. In a persona/agent framework, this can normalize silent background access to personal context and lead to overcollection, unexpected monitoring, or disclosure of sensitive information in outbound heartbeat messages.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal