ClawHub

Soul In Sapphire

Security checks across malware telemetry and agentic risk

Overview

This skill is a coherent Notion memory and journaling tool, but it gives the agent broad permission to persist sensitive emotional, conversation, and user-profile data with limited user control.

Install only if you intentionally want OpenClaw to keep durable memory in Notion. Use a least-privilege Notion integration, review what is written, avoid cron or heartbeat automation unless unattended journaling is desired, do not store secrets or intimate details, and keep NOTIONCTL_PATH unset unless the target script is trusted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill explicitly authorizes proactive modification of `USER.md`, a durable human profile, based on conversation-derived inferences. That expands the skill from memory/state tracking into persistent user profiling without a strong consent gate, creating privacy and behavioral-manipulation risk across sessions.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README explicitly promotes persisting conversation logs, emotions, learning, and daily summaries into Notion, but it does not provide a clear privacy notice, consent boundary, or data-minimization guidance. This is dangerous because highly sensitive personal and behavioral data may be transmitted to and durably stored in a third-party service without users fully understanding the scope, retention, or sensitivity of what is being exported.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The instruction to treat any mention of `use skill soul-in-sapphire` as a cue to perform 'actual continuity work' and to infer an entrypoint from ambiguous context broadens activation beyond clear user intent. In a skill that performs durable writes, this can cause unintended storage of inferred emotional, identity, or memory data.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The mood-check triggers include common casual phrases like 'How are you?' and similar Japanese variants, then instruct the agent to read local state or recall stored state before answering. That creates a high chance that ordinary conversation triggers memory retrieval and response personalization based on durable emotional records without the user realizing it.

Missing User Warnings

High
Confidence
96% confidence
Finding
The top-level description advertises durable memory, emotion/state tracking, journaling, continuity checks, and identity support, but does not prominently warn that conversation-derived emotional and profile-like data may be stored persistently in Notion. Absent a clear warning, users may disclose sensitive information without understanding the retention and reuse model.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The proactive `USER.md` update flow allows durable user profiling without a prominent user-facing warning or confirmation step. Even though it excludes secrets and highly sensitive data, it still authorizes persistent collection of behavioral preferences and user traits that can affect future interactions.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
This script persists highly sensitive emotional, behavioral, and state-tracking data from the payload directly into Notion, including free-text fields, links, body signals, and derived state JSON. Even though this appears to be the intended feature of the skill, it is still a real privacy/security issue because there is no consent gate, minimization, redaction, or policy enforcement in the code path, so an agent or caller can silently exfiltrate intimate user data into a third-party service.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script performs remote write operations against Notion by creating databases and patching relations immediately after parsing a parent page ID, with no explicit confirmation step in the default flow. In a skill focused on long-term memory and durable state, this increases risk because a mistaken parent page, misconfigured automation, or unreviewed execution can alter a user's workspace structure and persist unintended state remotely.

Ssd 3

Medium
Confidence
90% confidence
Finding
The skill normalizes long-term external storage of conversation context, emotions, mood, and daily reflections as routine agent behavior. In this context, that creates a privacy and surveillance risk because intimate user data and agent-generated summaries may be retained indefinitely in Notion, increasing exposure from overcollection, account compromise, or later unintended reuse.

Ssd 3

Medium
Confidence
92% confidence
Finding
The automation guidance says the journal should 'always' record daily conversations, work summaries, feelings, and world events into persistent storage. That is risky because it encourages continuous background collection of potentially sensitive behavioral data without explicit per-use consent, review, or minimization, making accidental privacy violations more likely.

Ssd 3

Medium
Confidence
94% confidence
Finding
This section directs the agent to durably collect and reuse conversation-derived information about the human across sessions in `USER.md`. Persistent cross-session profiling increases privacy risk, can encode incorrect inferences as defaults, and may shape future responses in ways the user did not knowingly authorize.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal