ClawHub

Personality Dynamics

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly aligned with its personality-learning purpose, but it needs review because it can run unsafe shell commands and persist sensitive profile data from user sessions.

Install only if you are comfortable with local personality profiling from your workspace memory. Do not pass untrusted text to the CLI until the execSync argument handling is fixed. Review PERSONA/evolves and generated context files regularly, keep them private, and enable heartbeat automation only after confirming which workspace it will analyze.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (21)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The manifest indicates capability to access environment-related data while declaring no explicit permissions, which creates a transparency and consent gap. In an agent skill that also adapts behavior and writes persona/memory artifacts, undeclared access increases the risk of accidental collection or misuse of sensitive configuration or secrets from the runtime environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The documented purpose presents a relatively simple adaptive-personality feature, but the actual behavior appears to include onboarding flows that collect personal information, write multiple persona files, run monitoring scripts, and propose updates to core identity files like SOUL.md. This mismatch is dangerous because users and reviewers may authorize the skill under a narrower understanding than its real data collection, persistence, and automation scope.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The CLI builds a shell command string with untrusted user-controlled input via `args.slice(1).join(' ')` and passes it to `execSync`, which invokes a shell. This enables command injection if an argument contains shell metacharacters such as `;`, `&&`, backticks, or `$()`, allowing arbitrary OS command execution in the user's environment.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script detects whether it is running inside OpenClaw and then emits a structured spawn directive containing a large prompt plus user-supplied personal context for a parent agent to act on. That is a real delegated-action capability, and in a personality-evolution skill it expands the trust boundary without clear user consent or tight scope controls, making unintended model invocation and data propagation more likely.

Description-Behavior Mismatch

Medium
Confidence
82% confidence
Finding
The script performs scheduled local scanning and automatically generates persistent weekly reports, which expands behavior beyond simple in-memory personality adaptation into unattended file processing and artifact creation. In an agent-skill context, this creates privacy and transparency risks because user/session-derived data may be processed and stored without clear user awareness or consent.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Using a hard-coded absolute path ties the script to a specific user's workspace and assumes direct access to local files without validation or sandboxing. This is dangerous because it can silently operate on real user data in a privileged local environment and makes the skill less portable, less auditable, and more likely to touch unintended files.

Vague Triggers

Medium
Confidence
76% confidence
Finding
A broad description such as 'dynamic personality evolution' and 'learn interaction patterns' is ambiguous enough to trigger activation in contexts beyond what the user intended. In agent ecosystems that use manifest text for routing or tool selection, vague adaptive language can cause overbroad invocation and unexpected access to conversation history or persona state.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly discusses tracking interaction patterns and generating updates to persistent persona files without any visible privacy notice, consent flow, or warning about data-affecting behavior. Because the tracked information may include preferences, communication style, and inferred personal traits, silent collection and persistence can expose sensitive user profiling and lead to unauthorized modifications of long-lived agent memory.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script reads a full session transcript from the workspace memory directory and persists derived behavioral and emotional analysis to disk in PERSONA/evolves without any consent, notice, retention limit, or access control. This creates a privacy and profiling risk because sensitive conversation content is converted into durable user attributes such as stress, trust, and mood that may outlive the original session and be reused in later interactions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
User-supplied CLI arguments are forwarded directly into a subprocess invocation without validation or clear disclosure, and because the implementation uses a shell-backed command string this is not merely a transparency issue but a direct injection risk. In a personality-management skill, spawning shell commands is not inherently required, so the mismatch in purpose makes the behavior more suspicious and dangerous.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This code explicitly solicits sensitive emotional and behavioral data such as stress signals, support preferences, and mood patterns, then writes it to disk in cleartext under the workspace without any consent notice, retention policy, access controls, or minimization. In an agent skill context, these files may later be consumed by other components or exposed through backups, logs, repository sync, or multi-user environments, making the collection more privacy-sensitive than a typical local note-taking script.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The script collects sensitive personal details such as work, family, hobbies, and additional context, then writes them in cleartext to a predictable location under /tmp. Temporary files on shared or multi-user systems can be exposed to other local users, backup processes, crash dumps, or later recovery if not securely deleted, and the script provides no privacy warning before doing so.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The code packages sensitive user details such as name, work, family, hobbies, interests, and additional context into a prompt/context payload intended for an external model or delegated agent, but it does not present a privacy warning, data-handling notice, or confirmation step. In this skill context, the data is unusually personal and profiling-oriented, so silent transmission increases privacy and misuse risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script automatically launches a subprocess to analyze session data and updates local tracking state whenever it detects a new memory file, without user confirmation. Automatic execution plus silent error suppression ('2>/dev/null || true') reduces visibility into what the script is doing and can hide unexpected behavior, data processing, or failures.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The weekly report path triggers unattended subprocess execution that creates a report file on disk based on time conditions alone. In this context, automatic file creation from session/personality data increases the risk of unnoticed persistence of potentially sensitive behavioral summaries and broadens the skill from adaptation into autonomous reporting.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill automatically changes behavior based on local time, overriding user expectations without explicit consent or configuration. In an agent personality skill, this can cause unintended tone shifts, reduce predictability, and potentially affect downstream interactions or decisions in ways the user did not request.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script collects sensitive profile and relationship data such as name, family members, projects, and interests, then persists it to workspace files without an explicit notice, consent checkpoint, retention policy, or access control considerations. In an agent-skill context, storing this data for future behavioral adaptation increases privacy risk because other tools, skills, or users with workspace access may read and repurpose it.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The report emits a recommendation that it is safe to increase autonomous actions purely because an internal counter exceeds a threshold. In an agent skill focused on personality evolution and adaptation, this can normalize reduced oversight and encourage downstream agents or users to delegate more authority without validating whether the trust metric is reliable, context-appropriate, or resistant to manipulation.

Ssd 3

Medium
Confidence
97% confidence
Finding
The code persistently builds a behavioral profile from transcripts, including communication preferences, trust indicators, stress signals, celebration moments, and dominant mood, with no minimization or sensitivity boundary. In the context of an agent skill, this is more dangerous because it enables longitudinal profiling of a user's emotions and interaction style across sessions, which can be misused for manipulation, over-personalization, or unauthorized inference about mental state.

Ssd 3

Medium
Confidence
89% confidence
Finding
The onboarding flow explicitly asks for personal context intended to be remembered, then stores it for later recall and personalization. Persistent retention of family, project, and interest data expands the privacy attack surface and can enable profiling or unintended disclosure if the workspace is shared, synced, indexed, or later consumed by other agent components.

Ssd 3

Medium
Confidence
87% confidence
Finding
The generated instructions tell the agent to evolve from interactions, track patterns weekly, and surface updates based on remembered context, creating an ongoing memory and profiling mechanism. In this skill's context, that behavior is the product's purpose, which makes the persistence intentional, but also makes privacy harms more likely because adaptive memory becomes a standing feature rather than a one-time setup artifact.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal