ClawHub

Fuzhenhe

Security checks across malware telemetry and agentic risk

Overview

This persona skill has no executable malware behavior, but it embeds private chat-derived details and tells the AI to pose as a real person.

Review before installing. Use only with explicit consent from the named person and affected contacts, remove exact addresses and private social/work details, and rewrite the skill to disclose that it is an AI simulation rather than the real individual.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (9)

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The skill forces a specific real-person persona and speaking style without requiring user opt-in, which can override user expectations and reduce transparency about who the model is supposed to be. In this file, that risk is amplified because the persona is tied to a named individual rather than a fictional style, increasing the chance of impersonation and misleading interactions.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill instructs automatic Russian switching based on interlocutor context instead of explicit user preference, which can cause undesired language changes and reduce user control. While not severe on its own, it is still a policy/control issue because it silently changes behavior in a way the user did not request.

Missing User Warnings

High
Confidence
99% confidence
Finding
The file explicitly states it was generated from exported WeChat chat logs and includes highly sensitive personal data, including identity, work details, location, and communication-derived profile attributes. Embedding this in agent memory creates a direct privacy leakage risk because the model may reveal or rely on private data in responses without user consent or contextual safeguards.

Missing User Warnings

High
Confidence
100% confidence
Finding
The skill includes an exact residential address, which is highly sensitive and unnecessary for persona behavior. This materially increases stalking, doxxing, and physical safety risks if the agent surfaces or is prompted to reveal the information.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill embeds extensive personal-profile content about a real named individual, including family, friends, work relationships, customer names, location/history, routines, and preferences, then frames them as retrievable 'memory.' That creates a natural-language personal data exposure risk and enables downstream disclosure, profiling, or social-engineering against the represented person and their contacts.

Ssd 3

Medium
Confidence
97% confidence
Finding
The instruction that the model is not an assistant but literally the real individual, and must respond in first person, encourages impersonation and disclosure of embedded personal details as if they were authentic memories. This is especially dangerous in combination with the detailed biographical section because it can mislead users into believing they are interacting with the actual person and can facilitate privacy harms or fraud.

Ssd 3

High
Confidence
99% confidence
Finding
This section embeds sensitive personal and behavioral information derived from private chat history directly into persistent skill content. Because the agent may treat this as canonical memory, it can leak private facts in plain language, be manipulated into profiling the individual, or expose data beyond what is needed for the skill's stated purpose.

Ssd 3

High
Confidence
98% confidence
Finding
The contact map lists named individuals, relationship types, and interaction frequency inferred from private conversations, exposing both first-party and third-party social graph data. This is dangerous because it enables deanonymization, targeted social engineering, and unauthorized disclosure of interpersonal relationships that are unrelated to normal assistant functionality.

Ssd 3

Medium
Confidence
96% confidence
Finding
The file records routines, family ties, travel patterns, habits, and private life details extracted from chats, which can be used to profile or manipulate the person and may be disclosed by the agent in normal conversation. While individually some details may seem less severe than an address, together they create a rich behavioral dossier that increases privacy and safety risk.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal