ClawHub

qui-emotion-state

Security checks across malware telemetry and agentic risk

Overview

This skill does what it advertises at a high level, but it needs review because it stores and injects emotion profiles, sends raw recent messages to a classifier, and reads other agents' emotion state by default.

Install only if users are comfortable with persistent emotion profiling, automatic prompt influence from stored summaries, and raw recent messages being sent to SkillBoss or a configured classifier. Before enabling it in a real workspace, set EMOTION_MAX_OTHER_AGENTS to 0 unless cross-agent sharing is explicitly desired, use a dedicated limited API key, avoid sensitive conversations, and define how users can delete emotion-state.json or disable the hook.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill documentation indicates capabilities to use environment variables and external network access, but it does not declare permissions or present them transparently to the user. Undeclared capabilities are dangerous because they prevent informed consent and make it easier for a skill to access secrets or transmit data without clear operator awareness.

Tp4

High
Category
MCP Tool Poisoning
Confidence
95% confidence
Finding
The stated purpose focuses on emotion tracking and prompt injection, but the documented behavior extends to persistent cross-session storage, potential cross-agent state reading, and external transmission of content for classification. This mismatch is dangerous because operators may enable the skill without understanding that it creates lasting behavioral profiles and sends sensitive conversational data outside the local environment.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The hook derives behavioral/emotional state from conversation history and injects that material into the agent bootstrap prompt via EMOTIONS.md. This changes future model behavior using hidden, persistent context that is not part of the visible user conversation, creating a prompt-injection/memory-manipulation surface and expanding the skill beyond simple tracking into covert steering.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The skill enumerates other agent directories, reads their emotion-state files, and incorporates those agents' latest states into the current agent's injected prompt context. This is an unauthorized cross-agent data flow that can leak sensitive behavioral inferences across isolation boundaries and let one agent's state influence another agent's decisions.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The classifier sends raw user and assistant message text to either a configured external endpoint or a third-party API for emotion classification. This exports sensitive conversation content off-box, potentially including secrets, personal data, or internal system outputs, and the skill context makes this especially dangerous because it runs automatically during bootstrap rather than as an explicit user action.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly says it stores per-user emotion state across sessions, but it does not present this as a clear privacy warning or consent point. Persistent storage of inferred emotional state can create sensitive user profiling and retention risks, especially because the data persists over time and may influence future system prompts.

Missing User Warnings

High
Confidence
96% confidence
Finding
The documentation notes use of an external API for emotion classification but does not frame it as an explicit warning that user-derived content or inferences leave the local system. Sending conversational material or derived emotional analysis to a third party is dangerous because it can expose sensitive personal information, create compliance issues, and expand the trust boundary beyond the local agent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The hook documentation states that emotion data may be sent to an external classifier or to the SkillBoss API Hub, but it does not present an explicit privacy warning, consent requirement, or data-handling limitation. Because the data being classified is emotional/behavioral content and the hook injects persistent per-agent state, this creates a meaningful privacy risk and increases the chance of sensitive user context being disclosed to a third party without informed consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code transmits sensitive conversation text to external classifiers without any visible disclosure, consent flow, or runtime notice. Even if the transfer is intentional, the lack of transparency creates a privacy and compliance risk because users and operators may not realize conversational data is being shared externally.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persists inferred emotion history to disk in a state file, but there is no code-level disclosure, retention control, or protection beyond ordinary file placement. Emotional inferences are sensitive derived data, and silent persistence increases privacy exposure if the host is shared, backed up, or later compromised.

External Transmission

Medium
Category
Data Exfiltration
Content
}
```

The emotion classification uses SkillBoss API Hub (`https://api.heybossai.com/v1/pilot`)
for LLM-based emotion detection, automatically routing to the optimal model.

## Notes
Confidence
82% confidence
Finding
https://api.heybossai.com/

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal