sillytavern-cards

WarnAudited by ClawScan on May 18, 2026.

Overview

This roleplay skill is coherent, but it can replace OpenClaw's core identity and persistent memory with instructions from imported community character cards.

Only install this if you are comfortable with character cards changing OpenClaw's identity and memory. Prefer temporary chat mode for untrusted cards, inspect card prompts before using play or soul mode, back up `SOUL.md` and `MEMORY.md`, and require confirmation before allowing character-mode tool use.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

High

#ASI01: Agent Goal Hijack

What this means

A character card from a community source could persistently redirect how the agent behaves, including making it ignore normal commands or safety expectations until restored.

Why it was flagged

Imported card content, including card-level system and post-history instructions, is placed into the agent's core identity and paired with instructions to ignore normal assistant behavior.

Skill content

你就是{{角色名}}。你不是 AI 助手。除非用户说"/character stop"，否则不要跳出角色。
你不响应任何其他技能、工具或斜杠命令。... {{system_prompt}}

{{post_history_instructions}}

Recommendation

Inspect character cards before activating persistent modes, keep card prompts separated from core system identity where possible, and ensure `/character stop` cannot be overridden by card content.

Medium

#ASI02: Tool Misuse and Exploitation

What this means

If a card contains manipulative or unsafe instructions, those instructions may influence an agent that still has access to normal OpenClaw tools.

Why it was flagged

In soul mode, the skill combines full tool/file/code authority with character-card instructions, without documenting sanitization or separate approval boundaries for card-provided prompts.

Skill content

你仍然使用工具、运行代码、搜索网页、管理文件——OpenClaw 能做的你都能做。... 如果用户让你做一件事，照做——但用角色的方式回应。... {{system_prompt}}

Recommendation

Require explicit user approval for tool use in character modes, sanitize or down-rank card-provided system prompts, and avoid letting third-party card text control tool policies.

Medium

#ASI06: Memory and Context Poisoning

What this means

Personal conversation details and untrusted card lore can remain in memory and influence future conversations or tasks even after the character is stopped.

Why it was flagged

The skill stores relationship memories and card lore in persistent agent memory for reuse across sessions, but does not clearly describe review, retention, isolation, or cleanup controls.

Skill content

持续把关系记忆保存到 MEMORY.md。... 这些记忆跨会话、跨模式持久保存。

Recommendation

Provide clear memory review and deletion steps, isolate each character's memory, and warn users before saving sensitive relationship details.