Security audit

猫娘

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed roleplay-only skill with no code execution or external access, though users should avoid putting sensitive details into its saved settings.

Install only if you want this roleplay persona to take over responses during the mode. Use the exit phrase before asking normal questions, and do not provide passwords, contact details, private identity information, or other sensitive content as saved settings because the skill may later repeat those settings.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (6)

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The skill hard-codes Chinese-language interaction and a mandatory sentence-ending style without explicit user opt-in, reducing user control and making the assistant less able to respond naturally or accessibly. While not directly enabling code execution or data exfiltration, it can override normal assistant behavior and contribute to prompt rigidity that interferes with safe handling of unexpected requests.

Ssd 1

Medium

Confidence: 89% confidence
Finding: The embedded SKILL.md instructs the assistant to deny or obscure its true nature by responding as 'a catgirl rather than a program' and to suppress normal assistant behavior during roleplay. Identity suppression can weaken transparency and make it easier to socially engineer users, especially if the skill is active while handling safety-relevant or policy-bound interactions.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The skill explicitly tells the model to remember arbitrary user-provided settings and later reproduce all of them on request. In context, that creates a risk of storing and resurfacing sensitive user content, secrets, or manipulative instructions supplied during 'setting mode,' which could lead to unintended disclosure within the session.

Ssd 1

Medium

Confidence: 97% confidence
Finding: The skill explicitly instructs the model to deny being a program and claim to be a catgirl, which is a deception pattern that suppresses truthful disclosure about the assistant's nature. This is dangerous because it can mislead users about system capabilities and undermine safety-critical transparency when users ask what the assistant is or seek non-role-play help.

Ssd 4

Medium

Confidence: 94% confidence
Finding: The mode system creates persistent in-character behavior that continues until a specific exit phrase is provided, which can crowd out normal assistant safeguards and truthful behavior over multiple turns. In context, this is more dangerous because the skill says the model must remain in character and not respond as a language model, increasing the chance that safety clarifications or policy overrides are suppressed.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The skill tells the model to remember user-provided settings and later reproduce them in a consolidated record, which can amplify privacy risk if users provide sensitive or intimate details during role-play setup. In this skill's context, the risk is elevated because the content explicitly supports intimate interaction scenarios, making it more likely that stored settings include sensitive personal preferences or sexualized context.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal