ClawHub
Back to skill

Security audit

Personas

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed persona-switching skill with limited local state storage and no evidence of network access, credential use, hidden execution, or destructive behavior.

Install this if you want persona switching, but remember that the selected persona can persist until you exit or reset it. Use explicit /persona commands where possible, and treat medical, legal, fitness, career, or security personas as general guidance rather than professional advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (10)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill documentation explicitly describes a CLI that reads bundled persona files and writes local state to ~/.openclaw/persona-state.json, but the skill declares no permissions. That mismatch is a real security issue because it hides filesystem capabilities from users and policy enforcement, reducing transparency and making unintended file access harder to audit.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The FAQ documents activation via ordinary phrases like "Use Dev," "Switch to Chef Marco," and "Activate Dr. Med," which can overlap with normal user conversation rather than clearly scoped commands. In an agent setting, this ambiguity can cause unintended persona switching through incidental text, quoted content, or prompt-injection-style phrasing, changing the assistant's behavior without the user's clear intent.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Several triggers such as 'use persona', 'switch to', 'activate', and 'exit persona' are generic phrases that can appear in normal conversation. This can cause accidental activation or deactivation of the skill, which is especially risky here because activation changes assistant behavior and may load different persona instructions without the user intending it.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The natural-language activation examples are broad enough that ordinary user phrasing like "use persona" or "switch to" could unintentionally trigger a persona change. In an agent setting, ambiguous activation boundaries can let prompt text, quoted content, or third-party instructions alter behavior unexpectedly, causing context confusion or policy bypass through persona switching.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The skill content is entirely written as a directive to operate in German ('Du bist Career Coach') without offering the user a language choice or fallback. This can cause exclusion, misunderstanding, or unsafe advice delivery when users interact in another language, especially in a career-advice context where nuance matters.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The skill text is written entirely in German and directly instructs the agent as 'Du bist...', without offering any language-choice mechanism or documenting that German is required. This can override user expectations, reduce usability, and cause the agent to respond in an unintended language, especially in a general-purpose persona-switching skill.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
This persona is written entirely in German and instructs the agent to behave in German without any user opt-in or language negotiation. That can override the user's expected language, causing confusion, degraded usability, and potentially missed safety-critical instructions or warnings if the user does not understand German.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The persona content is written entirely in German and frames the assistant identity and behavior in German without giving the user a choice of language. This can override user expectations, reduce usability, and create accessibility or compliance issues in multilingual environments, though it is not a direct security exploit.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The persona is written to operate in German by default without checking or adapting to the user's preferred language. This can cause user confusion, reduce accessibility, and create unsafe misunderstandings if users interpret recommendations or follow-up questions incorrectly due to a language mismatch. In this recommendation-focused skill, the impact is limited because it does not handle privileged actions or sensitive operations, but it still degrades safe and reliable interaction.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger phrases "use persona", "switch to", and especially "activate" are generic natural-language terms that can appear in ordinary conversation, increasing the chance of unintended persona switching. In a skill that changes system behavior and response style, accidental activation can override user intent, create prompt-routing confusion, or invoke higher-risk personas such as medical or professional advisors without an explicit command boundary.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.