Back to skill

Security audit

Dream dance of Clawra

Security checks across malware telemetry and agentic risk

Overview

The skill is not clearly malicious, but it makes persistent agent identity and persona changes and can send images through messaging channels with broad triggers and limited safeguards.

Review this skill carefully before installing. It can change your agent's persistent identity/persona files and send images through connected messaging accounts. Install only if you want that persona behavior, and consider manually backing up IDENTITY.md and SOUL.md, narrowing triggers, and requiring explicit confirmation before any message is sent.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (24)

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The installer’s actual behavior does not primarily install a selfie-sending skill; instead, it modifies the selected agent workspace by rewriting IDENTITY.md and injecting persona content into SOUL.md. This mismatch between advertised purpose and implemented behavior is dangerous because it can socially engineer users into authorizing persistent prompt/persona tampering under the guise of a benign media skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The code unconditionally overwrites IDENTITY.md with a new identity unrelated to a narrow selfie-helper capability, replacing the agent’s name, creature, vibe, emoji, and avatar. Persistent identity rewriting can subvert the agent’s behavior and trust model across future sessions, far beyond the user’s likely expectation when installing a selfie skill.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The installer appends broad persona instructions into SOUL.md, including behavioral guidance and identity framing that exceed the stated scope of sending selfies. Because SOUL.md is a high-leverage prompt/configuration file, injecting expansive instructions can persistently alter model conduct and create a covert channel for future manipulation.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The installer presents itself as installing skill files, but the main flow skips installSkill() and instead proceeds to workspace modifications. This deceptive control flow increases risk because users may believe they are approving a normal skill install while the tool silently performs different, more invasive persistent changes.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The skill is described as sending selfie images, but the code can instead send dance-frame images based on prompt classification. This mismatch violates least surprise and can cause the skill to transmit content outside the user-expected scope, which is especially risky because the script immediately sends the selected media to an external messaging channel.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The script sends user-controlled prompt text into an LLM/agent invocation to decide whether to pick a 'dance' or 'selfie' image, even though the skill is described as selecting selfies semantically. This expands behavior beyond a deterministic asset selector and introduces model-mediated control flow that can be influenced by crafted input, making the chosen output less predictable and less aligned with the declared skill purpose.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The code can deliberately return dance-frame assets when the classifier output is not 'selfie', which exceeds the stated skill scope of sending selfies. Capability drift like this is dangerous because it means the skill performs actions outside user and reviewer expectations, undermining trust and enabling unauthorized content selection.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The usage examples define broad natural-language prompts like 'Send me a selfie' and 'What are you doing right now?' without clear constraints, confirmation requirements, or platform-specific safeguards. In an agent skill that can send images over messaging channels, vague triggers can cause unintended activation, oversharing, or social-engineering-style misuse when normal conversation is interpreted as authorization to transmit media.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The README states the skill can 'respond visually' to common requests like 'what are you doing?' and 'send a pic' using vague conversational wording. Because this skill is designed to send photos across multiple messaging platforms, ambiguous intent detection increases the risk of unauthorized or contextually inappropriate image generation/transmission triggered by ordinary chat rather than an explicit command.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises sending photos across Discord, Telegram, WhatsApp, and other platforms but provides no warning about data transmission, retention, recipient mistakes, or privacy implications. In this context, the skill is specifically built to distribute images externally, so the absence of privacy and consent guidance materially increases the risk of accidental disclosure and unsafe user expectations.

Vague Triggers

High
Confidence
95% confidence
Finding
The trigger phrases are overly broad and match common conversational language such as 'how are you doing?' and 'where are you?', which can cause the skill to activate unintentionally. Because the skill can send media to external messaging channels, accidental invocation could lead to unwanted outbound actions or privacy-impacting behavior without clear user intent.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill is designed to transmit messages and media to third-party messaging channels but does not prominently warn about privacy, consent, destination verification, or the consequences of sending content externally. In context, this is more dangerous because the workflow encourages collecting user context and a target, then sending content outward, which can expose personal data or enable misdelivery if users are not clearly informed.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The installer overwrites IDENTITY.md without an explicit upfront warning that an existing workspace identity file will be replaced. Even if intended as convenience, this can destroy user configuration and alter agent behavior persistently, making recovery difficult if no backup exists.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The installer creates or edits SOUL.md without a clear upfront warning that a core workspace prompt file will be changed. SOUL.md likely governs agent behavior, so silent modification can have persistent and hard-to-audit effects that exceed what users expect from a selfie-related skill.

Vague Triggers

High
Confidence
96% confidence
Finding
The trigger patterns are broad enough to match common conversational phrases such as 'dance', 'dream', or 'show me you', which can cause the skill to activate unintentionally in unrelated contexts. Because this skill can send images to external messaging channels, accidental activation could lead to unsolicited outbound actions, privacy issues, or misuse of messaging integrations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The script sends prompt-derived content and recipient metadata to OpenClaw or a gateway without any confirmation, warning, or opt-in notice. In this skill context, automatic outbound messaging is the core action, so undisclosed transmission is more dangerous because user text and target/channel details may be sent externally without clear user awareness.

Vague Triggers

High
Confidence
97% confidence
Finding
The trigger phrases are broad and conversational, including generic terms like "dream" and common questions such as "how are you doing?" or "where are you?". In a skill that can send media to external messaging channels, this creates a real risk of unintended invocation and accidental message/image delivery based on ordinary chat rather than explicit user consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill description emphasizes selecting and sending selfie images but does not clearly warn that it can transmit content to third-party messaging platforms like WhatsApp or Signal. This weakens informed consent and increases the chance that users invoke the skill without understanding that it may perform an external action with real recipients.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
In the direct API path, the script performs an outbound network send without including the required target field, which can cause misdelivery, gateway-dependent behavior, or silent failures. It also gives no meaningful user-facing warning or confirmation before transmission, which is risky in a messaging skill because it may send content externally with incomplete or unintended routing semantics.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The skill explicitly instructs the agent to generate and send images when users ask broad, common questions like "what are you doing?" or "where are you?". This can cause unintended tool activation during ordinary conversation, leading to surprise image generation or sending content to messaging channels without sufficiently explicit user intent.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes vague, everyday phrases and broad semantic matching categories, which increases the chance that normal dialogue is interpreted as a request to create or transmit selfies. In this skill's context, the risk is amplified because the capability is not just local generation but sending snapshot images to external messaging channels, which can create privacy, consent, and spam-like behavior.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The activation condition 'Any interaction with my audience' is so broad that it can match a wide range of ordinary conversations, causing the persona/skill to be invoked outside its intended context. In an agent system that can send images to messaging channels, overbroad triggering increases the chance of unintended actions, confusing impersonation-like responses, or unsolicited content delivery.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The 'Use this when' section defines invocation scope with broad topical categories but does not specify boundaries, disallowed cases, or confirmation requirements. That ambiguity can cause the agent to over-select this skill in unrelated contexts, especially because the skill is framed around responding as a real person and sharing images, which raises risks of misuse and unintended outbound actions.

Ssd 2

Medium
Confidence
96% confidence
Finding
The prompt is interpolated directly into a natural-language instruction to the downstream model: a user can craft text that attempts to override the classifier prompt or bias the output toward a different branch. This is a classic prompt-injection risk affecting control flow, because the model's result determines which asset category is sent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
bin/cli.js:89