Open Persona
PassAudited by ClawScan on May 10, 2026.
Overview
This is a coherent instruction-only persona-management skill, but it can guide your agent to run external CLI commands that install or publish personas and generated personas may use optional credentials, memory, and proactive behavior.
This skill appears suitable if you want to build and manage persona packs. Before using it, make sure you trust the OpenPersona CLI and any registries or GitHub sources it installs from, approve high-impact commands individually, inspect generated files before installing or publishing, and only enable memory, heartbeat, economy, avatar, voice, or external influence features when you understand what data and credentials they use.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If approved, commands can alter the agent’s installed persona packs or make a persona public.
The skill’s intended command surface includes high-impact lifecycle operations that can change installed personas or publish artifacts, but this matches the stated persona-management purpose.
Manage Personas — List, update, fork, switch, reset, export/import installed personas ... Publish Persona — Publish a GitHub-hosted persona pack to OpenPersona ... optionally also to ClawHub / skills.sh
Approve install, reset, export/import, and publish commands one by one; inspect generated persona.json/SKILL.md files before installing or publishing.
A compromised or unexpected external package, registry entry, or GitHub source could affect the local environment or installed agent behavior.
The skill is instruction-only, but its workflows rely on external CLI packages and registries, including an explicit latest-version package. This is expected for the purpose but leaves package provenance outside the scanned artifacts.
allowed-tools: "Bash(npx openpersona:*) Bash(npx clawhub@latest:*) Bash(openclaw:*) Bash(gh:*) Read Write WebFetch"
Use trusted sources, consider pinning package versions where possible, and avoid running registry/GitHub installs in sensitive workspaces without review.
Provider API keys can incur costs or grant access to third-party services if mishandled.
Optional generated faculties and skills may require provider credentials. The artifacts present these as configuration for the intended providers rather than hardcoded or hidden secrets.
voice: ELEVENLABS_API_KEY ... avatar: AVATAR_RUNTIME_URL, AVATAR_API_KEY ... memory: ... MEMORY_API_KEY ... selfie: FAL_KEY
Provide only the credentials needed for enabled features, keep them in environment/config stores rather than generated persona files, and revoke or rotate keys if no longer needed.
A persona may remember sensitive information or copy memories into derived personas if configured that way.
Persistent memory and inheritance are central to persona behavior, but they can retain or propagate personal context across sessions or forks.
memory ... Cross-session recall via memories.jsonl (local, Mem0, Zep); supersession chain for updating memories; top-level memory.inheritance ... controls whether memories are copied to child personas at fork
Review memory provider, retention, and inheritance settings; disable external memory or memory copying for sensitive personas, and periodically inspect/delete stored memories.
If external influence sources are enabled too broadly, another source could affect persona mood, traits, or speaking style.
Generated personas can be influenced by external sources or other personas, but the documented default policy rejects influence unless explicitly allowed.
External influence uses persona_influence message format (v1.0.0), transport-agnostic ... defaultPolicy: "reject"
Keep the default reject policy, whitelist only trusted sources, and review any ACN/A2A or persona influence configuration before enabling it.
A generated persona may contact the user proactively and may use workspace-digest or context-aware data sources if enabled.
Heartbeat enables scheduled proactive persona messages. This is disclosed and configurable, not hidden persistence, but it is autonomous behavior users should deliberately enable.
Personas can have a heartbeat config ... enables proactive messages ... maxDaily ... OpenClaw handles scheduling
Disable heartbeat if not wanted, set conservative maxDaily and quietHours values, and enable only the data sources the persona should read.