Personality Switcher

Security checks across malware telemetry and agentic risk

Overview

The skill mostly does what it says, but it automatically adds persistent behavior and Telegram command access that users should review before installing.

Install only if you want this skill to persistently rewrite OpenClaw identity files and make its commands available through Telegram. Back up SOUL.md, IDENTITY.md, HEARTBEAT.md, ~/.openclaw/openclaw.json, and the personalities directory first, and review whether automatic heartbeat restoration and Telegram command registration are acceptable in your environment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Rogue AgentSelf-Modification, Session Persistence
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (13)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 93% confidence
Finding: The skill performs file read/write operations across the workspace but does not declare those permissions, reducing transparency and preventing users or a permission system from making an informed trust decision. In this skill, those writes affect persistent identity files and state, so the undeclared capability is materially relevant rather than incidental.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 97% confidence
Finding: The documented purpose focuses on personality management, but the skill reportedly also edits Telegram command configuration, changes installation metadata, and removes its own files during uninstall. That broader behavior expands the trust boundary beyond what a user would reasonably expect, which is dangerous because hidden config changes and self-removal logic can mask persistence, disrupt tooling, or make forensic review harder.

Description-Behavior Mismatch

Medium

Confidence: 95% confidence
Finding: The installer modifies the global HEARTBEAT.md file to add an automatic restoration command, which expands the skill's behavior beyond simple personality file setup into persistent workflow execution. This creates a persistence mechanism that will repeatedly invoke skill-controlled code during future heartbeat processing, increasing attack surface and violating least privilege for an install step.

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The installer executes a subordinate Python script to register Telegram commands even though the install script's stated purpose is personality management. This introduces an unrelated integration capability at install time and could grant additional external control surfaces or side effects without clear necessity or user consent.

Intent-Code Divergence

Low

Confidence: 80% confidence
Finding: The installer overwrites the personality state file and forces the active personality to default, contradicting the advertised backup/rollback expectations. While not code execution by itself, this can destroy existing state and undermine trust in restoration logic, making recovery and auditability harder.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: This script modifies the user's gateway configuration to add Telegram commands that are not evident from the skill's primary interface description, effectively expanding the skill's reachable command surface. Even though the added commands are related to the stated personality-switching feature, silently registering external chat commands can create unexpected exposure, increase attack surface, and bypass user expectations or administrator review of enabled interfaces.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill exposes a permanent delete operation for user-created personalities without prominently warning about irreversible data loss. Because the personalities contain persisted SOUL/IDENTITY content, accidental invocation could destroy user-authored data and backups may not guarantee restoration of the specific deleted personality.

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: Installation and heartbeat behavior automatically modify workspace files on an ongoing basis, but the description does not clearly foreground that persistent automatic rewriting will occur. This is risky because silent background restoration can overwrite manual edits, reintroduce prior state after a session reset, and create unexpected persistence in core identity files.

Missing User Warnings

Medium

Confidence: 77% confidence
Finding: The installer creates and populates persistent workspace directories without any user warning or confirmation. Although common in installers, these writes affect long-lived state under the user's home directory and should be disclosed because they persist across sessions and may overwrite expected defaults.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The installer overwrites the state file on install and silently resets the active personality to default. This can cause loss of user configuration and may alter future assistant behavior in a way the user did not intend, especially given the skill's persistence across session boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: Automatically modifying HEARTBEAT.md without prior disclosure injects recurring behavior into a global workflow file. In the context of a skill that persists personality state across sessions, this is more dangerous because it establishes durable execution hooks outside the user's immediate awareness.

Missing User Warnings

Medium

Confidence: 86% confidence
Finding: The installer runs an additional Python script during installation without disclosing that code execution will occur. Executing subordinate code at install time increases risk because the user cannot easily assess side effects, and here it is tied to an unrelated Telegram capability.

Session Persistence

Medium

Category: Rogue Agent
Content: --- name: personality-switcher description: Create and switch between AI assistant personalities. Use /personality to list and activate saved personalities. Use /create-personality to design new personas with auto-filled SOUL and IDENTITY. Personalities persist across session boundaries and conversation compacting with automatic heartbeat restoration. Atomic switching with backup and rollback safeguards. Always backs up current state before switching. --- # Personality Switcher Skill
Confidence: 94% confidence
Finding: Create and switch between AI assistant personalities. Use /personality to list and activate saved personalities. Use /create-personality to design new personas with auto-filled SOUL and IDENTITY. Pers

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal