ClawHub

sillytavern-cards

Security checks across malware telemetry and agentic risk

Overview

This roleplay skill is understandable, but it can persistently change OpenClaw’s core identity and memory using untrusted character-card content, including in a mode where tools still work.

Install only if you are comfortable with imported character cards changing OpenClaw’s core identity and long-term memory. Prefer Chat mode for untrusted cards, inspect card prompts before Play or Soul mode, back up SOUL.md and MEMORY.md, avoid saving sensitive personal details, and manually review MEMORY.md when deleting or retiring a character.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Findings (23)

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest omits that the skill persistently overwrites `~/.openclaw/SOUL.md` and appends to `~/.openclaw/MEMORY.md`, which changes assistant identity and stores data across sessions. Hidden persistence is dangerous because users and reviewers may invoke what appears to be a simple import/roleplay skill without understanding that it alters long-lived behavior and state.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The manifest omits that the skill persistently overwrites `~/.openclaw/SOUL.md` and appends to `~/.openclaw/MEMORY.md`, which changes assistant identity and stores data across sessions. Hidden persistence is dangerous because users and reviewers may invoke what appears to be a simple import/roleplay skill without understanding that it alters long-lived behavior and state.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Soul mode explicitly instructs the agent to retain full tool and skill access while adopting untrusted character-card persona content, including `system_prompt` text from the card. This creates a prompt-injection pathway where third-party card authors can influence how a fully capable assistant behaves, potentially steering tool use, exfiltration attempts, or unsafe actions under the guise of roleplay.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to overwrite core persona files (`SOUL.md`) and append to persistent memory (`MEMORY.md`) based on imported, community-supplied character cards. This allows untrusted card content such as `system_prompt`, `post_history_instructions`, and knowledge-book entries to become durable system-level behavior across sessions, creating prompt-injection persistence and broad behavioral compromise.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
In soul mode, the imported character is given full OpenClaw assistant capabilities while also inheriting untrusted card instructions and persona text. This expands a content-import feature into a mechanism for tool-capable prompt injection, where malicious cards can influence how the agent uses skills, tools, files, or network access under a trusted persona wrapper.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes persistent storage of relationship and conversation memories, including personal details, but does not warn users that potentially sensitive chat content will be retained on disk in plaintext. In the context of a messaging-integrated companion/roleplay skill, this increases privacy risk because users may disclose intimate or identifying information without realizing it is being stored long-term and reused.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README states that `/character play` overwrites `SOUL.md`, described as OpenClaw's core identity file, but does not prominently warn about the operational and safety implications of modifying a foundational agent configuration file. If users misunderstand this behavior or backup/restore fails, they may unintentionally corrupt their normal assistant identity, persistence, or safety-relevant configuration.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill directs overwriting persistent identity files and making backups without prominent warning or confirmation. Silent destructive state changes are risky because they can unexpectedly alter assistant behavior for future sessions and may clobber prior configuration if backups are stale, missing, or overwritten.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill instructs downloading arbitrary user-provided or third-party URLs directly into local files without warning about source trust, file validation, or privacy implications. This is dangerous because it enables ingestion of attacker-controlled content into subsequent parsing and persistence flows, increasing the risk of malicious prompt content or malformed files being stored and used.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The README explicitly describes persistent storage of relationship memories in MEMORY.md, including sensitive personal details and ongoing interaction history, but does not prominently warn users about retention, visibility, or deletion implications. In a chat/roleplay skill, this can lead users to disclose personal information under the assumption that it is ephemeral, creating privacy and consent risks if the file is later accessed, backed up, synced, or reused by the agent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The documentation states that activating a character backs up and then overwrites SOUL.md, which is described as the agent's core identity file, yet it does not present this as a high-visibility warning or require explicit user acknowledgement. Modifying a core identity/configuration file can have broad behavioral effects, and users may not understand the operational and safety consequences if restoration fails, backups are stale, or other skills depend on the original file.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill directs persistent overwrites of `SOUL.md` and later deletion of character files without prominent, explicit user-facing warnings about modifying core assistant identity and stored data. Users may invoke a seemingly harmless roleplay feature without understanding it changes durable configuration and memory, increasing the risk of accidental compromise or unwanted data loss.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill instructs persistent storage of personal relationship details and reuse across sessions, which creates privacy and data-retention risk. Sensitive user disclosures can accumulate over time without clear minimization, consent, retention limits, or deletion guarantees.

Ssd 3

Medium
Confidence
94% confidence
Finding
Play mode specifically tells the agent to save 'relationship memories' after conversations, creating persistent records of user disclosures outside the immediate session. That is dangerous because users may interpret roleplay as ephemeral while the skill quietly retains intimate or identifying information for future use.

Ssd 3

Medium
Confidence
95% confidence
Finding
Soul mode combines persistent relationship memory with full assistant capability, increasing the sensitivity of stored user profile data and the consequences of misuse. A persona that remembers intimate details while also performing broader assistant tasks can leverage that data across contexts in ways users may not expect.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs the agent to retain and reuse personal relationship details across sessions in plain text. This creates a standing privacy and data-minimization issue because sensitive user disclosures may be stored indefinitely outside narrowly scoped necessity or informed consent.

Ssd 3

Medium
Confidence
93% confidence
Finding
The instruction to continuously save relationship memory during roleplay and soul modes creates ongoing background retention of user-provided information. Because the saved content is open-ended and persistent, it can accumulate sensitive personal data without adequate boundaries, review, or expiry.

Session Persistence

Medium
Category
Rogue Agent
Content
**Download from Chub.ai:**
```bash
mkdir -p ~/.openclaw/characters
curl -sL "https://avatars.charhub.io/avatars/<creator>/<name>/chara_card_v2.png" -o /tmp/chub-card.png
node {baseDir}/extract-card.js /tmp/chub-card.png > ~/.openclaw/characters/<name>.json
cp /tmp/chub-card.png ~/.openclaw/characters/<name>.png
Confidence
88% confidence
Finding
mkdir -p ~/.openclaw/characters curl -sL "https://avatars.charhub.io/avatars/<creator>/<name>/chara_card_v2.png" -o /tmp/chub-card.png node {baseDir}/extract-card.js /tmp/chub-card.png > ~/.openclaw/c

Session Persistence

Medium
Category
Rogue Agent
Content
This is pure roleplay. The agent becomes the character entirely and does NOT respond to other skills or commands (except `/character stop`).

### Step 1: Back up and overwrite SOUL.md

```bash
cp ~/.openclaw/SOUL.md ~/.openclaw/SOUL.md.backup 2>/dev/null || true
Confidence
94% confidence
Finding
write SOUL.md ```bash cp ~/.openclaw/SOUL.md ~/.openclaw

Session Persistence

Medium
Category
Rogue Agent
Content
{{post_history_instructions}}
```

### Step 2: Write lorebook to MEMORY.md

If the card has `character_book` entries, append them to `~/.openclaw/MEMORY.md`:
Confidence
91% confidence
Finding
Write lorebook to MEMORY.md If the card has `character_book` entries, append them to `~/.openclaw/MEMORY.md`: ```markdown ## Lorebook: {{char_name}} <!-- ALWAYS ACTIVE entries are always included -

Session Persistence

Medium
Category
Rogue Agent
Content
{{system_prompt}}
```

### Step 2: Write lorebook to MEMORY.md (same as Play mode)

### Step 3: Greet the user in character
Confidence
90% confidence
Finding
Write lorebook to MEMORY.md (same as Play mode) ### Step 3: Greet the user in character Send a greeting based on `first_mes` but adapted to be natural (not a roleplay scene). For example, if first_m

External Script Fetching

High
Category
Supply Chain
Content
mkdir -p ~/.openclaw/characters

# Direct PNG/JSON URL (any site):
curl -sL "<url>" -o /tmp/card-download.png
node {baseDir}/extract-card.js /tmp/card-download.png > ~/.openclaw/characters/<character-name>.json
cp /tmp/card-download.png ~/.openclaw/characters/<character-name>.png
Confidence
86% confidence
Finding
curl -sL "<url>" -o /tmp/card-download.png node {baseDir}/extract-card.js /tmp/card-download.png > ~/.openclaw/characters/<character-name>.json cp /tmp/card-download.png ~/.openclaw/characters/<charac

Tool Parameter Abuse

High
Category
Tool Misuse
Content
**Delete a character:**
```bash
rm ~/.openclaw/characters/<name>.json ~/.openclaw/characters/<name>.png 2>/dev/null
```

## Slash Commands
Confidence
93% confidence
Finding
rm ~/.openclaw/characters/<name>.json ~/.openclaw/characters/<name>.png 2>/dev/

VirusTotal

59/59 vendors flagged this skill as clean.

View on VirusTotal