sillytavern-cards-cn

Security checks across malware telemetry and agentic risk

Overview

This roleplay skill is coherent, but it lets third-party character cards persistently change the assistant's identity and memory.

Install only if you are comfortable with roleplay cards changing OpenClaw's persistent identity and memory. Prefer temporary chat mode for untrusted cards, inspect card prompts before play or soul mode, avoid importing arbitrary URLs you do not trust, and know how to restore SOUL.md and clean MEMORY.md before using the assistant for normal or sensitive tasks.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger

Findings (13)

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The skill is presented as a card-import roleplay feature, but it persistently rewrites core identity/state files (SOUL.md and MEMORY.md). That broad, persistent modification of assistant behavior exceeds user expectations and can enable untrusted card content to reshape future assistant conduct across sessions.

Description-Behavior Mismatch

High

Confidence: 95% confidence
Finding: The skill is presented as a card-import roleplay feature, but it persistently rewrites core identity/state files (SOUL.md and MEMORY.md). That broad, persistent modification of assistant behavior exceeds user expectations and can enable untrusted card content to reshape future assistant conduct across sessions.

Context-Inappropriate Capability

Medium

Confidence: 92% confidence
Finding: The persistent 'soul' mode keeps full assistant and tool capabilities while layering an imported persona's instructions onto the assistant identity. Because card fields like system_prompt and post_history_instructions come from untrusted content, this creates a prompt-injection style persistence mechanism that can influence future tool use and safety posture.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The README explicitly describes storing ongoing relationship memories in MEMORY.md across sessions, but it does not clearly warn users that personal conversations and preferences may be retained on disk indefinitely. This can expose sensitive personal data to other local users, backups, sync services, or later unintended reuse, especially because the feature is framed as a benefit rather than a privacy-sensitive behavior.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README states that activating a character backs up and then overwrites SOUL.md, which is described as the agent's core identity file, but it does not prominently warn about the operational and security implications of modifying such a central configuration. If restoration fails, is incomplete, or users do not understand the effect, the agent's behavior and safety posture could be unexpectedly altered across platforms and sessions.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill describes overwriting SOUL.md and appending to MEMORY.md without a strong, explicit warning that these are persistent cross-session state changes. Users may unknowingly authorize durable modification of assistant identity and memory, increasing the chance of unwanted persistence or abuse from imported content.

Missing User Warnings

Medium

Confidence: 87% confidence
Finding: Remote import/search flows send user-provided URLs and search terms to third-party services and store downloaded content locally, but the skill does not clearly warn about those privacy and persistence implications. This can expose user interests or fetch attacker-controlled content without informed consent.

Ssd 3

High

Confidence: 95% confidence
Finding: The skill instructs the agent to persist relationship memory derived from conversations, including personal preferences and future plans, into MEMORY.md across sessions. Storing user personal data by default without clear consent, minimization, or retention controls creates meaningful privacy risk and can expose sensitive information to later sessions or other skills.

Ssd 3

High

Confidence: 96% confidence
Finding: This section frames cross-session persistence of user-provided personal information as a normal default for role modes, which normalizes long-term collection beyond what is necessary for card import or temporary roleplay. That increases privacy exposure and the blast radius if the memory store is later accessed, reused, or leaked.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The instruction to track relationship data in MEMORY.md in any role mode broadens personal-data persistence and makes retention easy to trigger. The danger is heightened because MEMORY.md appears to be a shared persistent context file, so stored details may influence unrelated future interactions.

External Transmission

Medium

Category: Data Exfiltration
Content: **搜索 Chub.ai**（数万张卡）： ```bash curl -s -H "User-Agent: SillyTavern" "https://api.chub.ai/search?search=<搜索词>&first=10&page=1&sort=last_activity_at&nsfw=false" | node -e " const d=JSON.parse(require('fs').readFileSync('/dev/stdin','utf8')); const nodes=d.data?.nodes||d.nodes||[]; nodes.forEach((n,i)=>{
Confidence: 84% confidence
Finding: https://api.chub.ai/

External Script Fetching

High

Category: Supply Chain
Content: mkdir -p ~/.openclaw/characters # 直接 PNG/JSON 链接（任何网站）： curl -sL "<url>" -o /tmp/card-download.png node {baseDir}/extract-card.js /tmp/card-download.png > ~/.openclaw/characters/<角色名>.json cp /tmp/card-download.png ~/.openclaw/characters/<角色名>.png
Confidence: 94% confidence
Finding: curl -sL "<url>" -o /tmp/card-download.png node {baseDir}/extract-card.js /tmp/card-download.png > ~/.openclaw/characters/<角色名>.json cp /tmp/card-download.png ~/.openclaw/characters/<角色名>.png # Chub.

Tool Parameter Abuse

High

Category: Tool Misuse
Content: **删除角色：** ```bash rm ~/.openclaw/characters/<名字>.json ~/.openclaw/characters/<名字>.png 2>/dev/null ``` ## 斜杠命令
Confidence: 97% confidence
Finding: rm ~/.openclaw/characters/<名字>.json ~/.openclaw/characters/<名字>.png 2>/dev/

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal