ClawHub
Back to skill

Security audit

persona-knowledge

Security checks across malware telemetry and agentic risk

Overview

This skill appears to do its stated job, but it can persist and export very private messages and archives without enough explicit consent or redaction controls.

Review before installing. Use this only if you intentionally want a long-lived local persona dataset from private archives. Run dry runs carefully, remove DM and unrelated folders before ingesting social archives, avoid pointing it at broad personal directories or chat.db unless necessary, and treat training exports as sensitive because they may contain raw chats, notes, emails, phone numbers, passwords, and third-party messages unless manually redacted or exported with wiki-only mode.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (13)

Description-Behavior Mismatch

Medium
Confidence
91% confidence
Finding
The adapter silently expands scope from public social-media archive parsing into private Twitter direct-message ingestion whenever a DM file is present. In a persona-knowledge skill, this is especially sensitive because private communications can be indexed, searched, and later reused for training/export, creating privacy, consent, and data-minimization risks beyond what a user may reasonably expect from the documented functionality.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The Instagram parser also broadens ingestion from posts to private inbox conversations without an explicit boundary or consent gate. Given this skill's purpose of building a persistent persona knowledge base, importing inbox data can expose highly sensitive interpersonal content to long-term storage, search, and downstream model-training workflows.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill is designed to ingest highly sensitive personal archives, chats, and social data, but it does not present a clear user-facing privacy warning, consent boundary, or data handling notice before collection and persistence. This increases the risk that users or downstream agents will process intimate or regulated data without understanding retention, exposure, and reuse consequences.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The export flow copies raw source files directly into `training/raw/`, which can propagate private conversations, PII, credentials, or other sensitive material into downstream training and sharing workflows. Because the skill frames this as normal output and lacks strong warnings or mandatory sanitization, it materially increases the chance of privacy leakage and overexposure.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The Twitter DM parsing code processes message text and sender identifiers with no user-facing warning, consent prompt, or sensitivity labeling. In this context, lack of notice is dangerous because the resulting data is not merely transient parsing; it is likely to be persisted and used for persona reconstruction or training, increasing the chance of privacy violations and unintended disclosure.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The Instagram inbox parser ingests private conversation content and sender names without any explicit warning or safeguards. Because the skill is designed for persistent, searchable persona memory, private messages become more dangerous here than in a one-off converter: they can be retained, surfaced later, and propagated into derived datasets or models.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The documentation explicitly supports direct reading of `~/Library/Messages/chat.db`, a highly sensitive local message store, but only notes macOS permissions and does not clearly warn about the privacy and consent implications of ingesting private communications. In the context of a persona-building skill that aggregates personal data, normalizing this access without strong warnings increases the risk of over-collection, accidental ingestion of unrelated conversations, and misuse of intimate message history.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The pipeline explicitly flags PII but still persists raw ingested messages to sources/ and may also preserve extracted knowledge-graph data, creating long-term retention of sensitive content. In a persona-knowledge system that ingests chats, archives, and personal vaults, this materially increases privacy risk because users may not realize that highly sensitive text is being stored verbatim and durably.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The storage root is taken from OPENPERSONA_KNOWLEDGE and used to persist personal data, but the user is not clearly informed where their data will be written. In this skill's context, hidden or non-obvious storage of persona data can undermine user expectations and make accidental exposure or mishandling more likely.

Ssd 3

Medium
Confidence
92% confidence
Finding
The skill explicitly preserves source material and reuses it to build training artifacts, which can cause private user data to reappear in later outputs or trained models. In this context, persistence plus transformation into conversations/profile data increases the chance of memorization, leakage, and reuse beyond the user's original intent.

Ssd 3

Medium
Confidence
97% confidence
Finding
The query flow allows information revealed during normal interaction to be written back into persistent storage without an explicit consent checkpoint. This creates a stealth-retention risk where sensitive details disclosed in a question or answer become part of a long-lived profile unexpectedly.

Ssd 3

Medium
Confidence
96% confidence
Finding
The code detects sensitive patterns but still writes full raw messages to backup files without redaction, and KG fallback storage can also preserve extracted sensitive names and relationships. Because this tool is designed to ingest deeply personal archives for persona modeling, unredacted persistence meaningfully raises the risk of later disclosure through backups, filesystem access, logs, or downstream training artifacts.

Ssd 3

Medium
Confidence
98% confidence
Finding
The dry-run path prints previews of the first messages regardless of whether PII was detected, which can expose passwords, phone numbers, emails, or other sensitive text directly to terminal output, shell history capture, CI logs, or shared consoles. This is especially risky in a data-ingestion tool for personal archives, where sensitive content is likely and dry runs may be used during troubleshooting or automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.