Personality Dynamics
SuspiciousAudited by ClawScan on May 10, 2026.
Overview
This mostly behaves like a persona-learning tool, but it has an unsafe command runner and persistently changes what the agent remembers and may consider permitted.
Review this carefully before installing. Do not pass untrusted or free-form text to the CLI until the shell-execution issue is fixed. If you use it, inspect the PERSONA folder and evolves files regularly, avoid granting broad external-action permissions, and only enable heartbeat automation after confirming what workspace it will read and how to disable it.
Findings (5)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
A crafted command or copied prompt could run unintended commands on the user's computer under their account.
User-controlled CLI arguments are interpolated into a shell command string. Free-form arguments intended for commands such as mode detection can be reinterpreted as shell syntax.
const remainingArgs = args.slice(1).join(' ');
execSync(`node --experimental-strip-types ${scriptPath} ${remainingArgs}`, {Replace execSync string execution with spawnSync/execFileSync using an argument array, validate allowed arguments, and never pass arbitrary user text through a shell.
Future agent behavior could treat a casual persona update as permission to perform high-impact actions, such as posting publicly or scheduling meetings, if other tools are available.
The skill invites broad delegated permissions and writes them into persistent persona instructions without a scoped approval model or clear separation from real external-action authority.
const newPermissions = await question("Any new permissions I should have? (e.g., 'can schedule meetings', 'can send tweets') ");
...
if (newPermissions) additions.push(`- New Permission: ${newPermissions}`);Limit stored permissions to low-risk preferences, require explicit per-action approval for external/account actions, and record scope, duration, and revocation instructions.
Personal conversation patterns and emotional signals may remain stored in the workspace and influence future agent responses.
The skill reads local session memory and persists inferred communication preferences, stress markers, celebration markers, and mood state for future use.
const memoryFile = join(memoryDir, `${today}.md`);
const transcript = readFileSync(memoryFile, 'utf-8');
...
save('patterns.json', patterns);
save(`session-${Date.now()}.json`, sessionAnalysis);Review PERSONA/evolves regularly, avoid including sensitive personal details unless intended, and add clear retention and deletion controls.
If enabled, the skill may keep processing session memory after normal use without an obvious per-run prompt, and the hardcoded path may behave unexpectedly on other systems.
If connected to a heartbeat mechanism, this script can run analysis after sessions and weekly reports automatically; it also hardcodes a developer-looking local path.
# Auto-run persona evolution analysis after sessions # Called by OpenClaw heartbeat or manually cd /Users/nealme/clawd ... node --experimental-strip-types skills/persona-evolution/analyze-session.ts 2>/dev/null || true
Enable heartbeat behavior only explicitly, remove hardcoded paths, log failures instead of suppressing them, and provide an easy disable/cleanup path.
Copying the documented commands could cause a user to install or run a different package than the reviewed artifact.
The evaluated registry entry is personality-dynamics, while the README and binary naming refer to persona-evolution; combined with no install spec, this creates provenance and installation ambiguity.
# Install clawhub install persona-evolution # Generate rich AI persona npx persona-evolution generate-demo
Align the registry name, package name, binary name, and documentation; add an install spec or pinned source so users know exactly what code will run.