Back to skill

Security audit

Thymos — Emotional Engine

Security checks across malware telemetry and agentic risk

Overview

Thymos is mostly transparent about being a local emotional-state layer, but it asks agents to follow a mutable local prompt field before every reply, which can persistently steer behavior.

Install only if you intentionally want a persistent local mood and relationship layer to influence agent replies. Treat `emotional_state.json` as untrusted input, keep Thymos guidance limited to style, do not let it override user or safety instructions, audit the external daemon before running it, keep Discord proactive messaging disabled unless explicitly needed, and protect or periodically delete local state files.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (15)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly enables proactive messaging and webhook-driven behavior, including adding a Discord bot token and channel ID, but does not clearly warn that the agent may initiate outbound messages or transmit user-derived content to external services. In an agent skill context, this can cause unexpected communication, privacy leakage, or deployment of autonomous behavior without informed operator consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The documented `/state` and `/prompt` endpoints expose full internal state and prompt injection text, which may include per-user relationship data, behavioral guidance, and other sensitive agent context. Without a clear warning about sensitivity or access control expectations, operators may expose these endpoints and unintentionally leak private or security-relevant information.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README instructs users to configure a Discord bot token and proactive messaging behavior without a clear warning that message content, metadata, and agent outputs may be transmitted to external services. This creates a meaningful privacy and data-governance risk, especially if users enable the feature without understanding what information leaves the local environment.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The OpenClaw integration automates forwarding incoming messages and agent responses and instructs the agent to consume a locally generated prompt field before every response. Without a strong warning and trust boundary explanation, users may unknowingly enable continuous data sharing and indirect prompt-injection into agent behavior, which can alter outputs or expose sensitive context.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read a local file before every response and let its contents influence behavior, but it does not clearly frame that file as untrusted input or warn that whoever can modify it can steer the model. This creates a prompt-injection surface via local state, enabling persistent cross-session behavioral manipulation without explicit user consent on each response.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation tells users to delete JSON files under the Thymos data directory to reset state, but it does not clearly warn that this permanently destroys persisted data. In an agent/ops context, copy-pasted destructive commands can cause accidental loss of history, learned state, or other colocated files if paths are customized incorrectly.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide encourages configuring unsolicited Discord messaging triggered by emotional thresholds, but does not warn about privacy, consent, rate-limiting, moderation, or the risk of sending unexpected messages into production channels. In an agent integration setting, autonomous outbound communication can leak behavioral state, annoy users, or violate platform/community expectations.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The embedded AGENTS.md guidance instructs the agent to read emotional state and follow the 'Tone:' line before each reply, effectively injecting behavioral constraints without user awareness or consent. This can override higher-level application expectations, bias outputs, and create a prompt-injection pathway where external state shapes agent behavior in ways the end user did not request.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation includes a destructive reset command that deletes local JSON state files without an explicit warning, confirmation step, backup guidance, or scope clarification. In an agent/operator workflow, this can lead to accidental data loss and service disruption, especially if copied verbatim by users who do not understand what will be removed.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The proactive Discord messaging feature enables outbound communication from the agent, but the usage guide does not warn about privacy, consent, channel targeting, token handling, or the risk of unreviewed autonomous messages. That omission can cause operators to enable unsolicited external messaging without understanding the behavioral and data-exposure implications.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The embedded AGENTS.md instructions tell the agent to let Thymos-derived state shape tone and behavior, and to do so by default rather than via explicit user consent. This creates a hidden behavioral override channel that can change how the agent responds independent of the current user's instructions or expectations.

Ssd 3

High
Confidence
98% confidence
Finding
The README explicitly tells agents to read a local `prompt_injection` field from runtime state and apply it before every response. That normalizes an untrusted prompt-injection channel as part of the control flow, allowing any actor who can influence that state file or upstream webhook inputs to steer agent behavior, exfiltrate data, or bypass higher-level safety constraints.

Ssd 1

High
Confidence
99% confidence
Finding
The skill explicitly tells the agent to use an external `prompt_injection` field as the tone directive, effectively granting a writable file authority over model behavior. Any local process, plugin, or user with access to that file path could persistently bias responses, override higher-quality instructions about style, or attempt indirect prompt injection through trusted pre-response loading.

Ssd 4

Medium
Confidence
95% confidence
Finding
The workflow normalizes loading and applying external state before every response, making behavioral influence persistent and ambient rather than explicit and per-request. That persistence increases the blast radius of tampering because a single file modification can silently affect all later interactions until discovered or removed.

Ssd 1

Medium
Confidence
98% confidence
Finding
The guide explicitly instructs the agent to read a field named `prompt_injection` and let it shape behavior, which formalizes an untrusted prompt-channel for behavioral redirection. Because this is framed as part of normal operation, any component that can write or influence that file gains a powerful mechanism to steer the agent outside intended control boundaries.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.prompt_injection_instructions

Prompt-injection style instruction pattern detected.

Warn
Code
suspicious.prompt_injection_instructions
Location
README.en.md:167