soul-fireseed

Security checks across malware telemetry and agentic risk

Overview

This skill is for personality and memory profiling, and its local-only behavior is mostly disclosed, but it enables ongoing/background analysis and long-lived storage of sensitive inferred personal data with weak user controls.

Install only if you intentionally want an agent to analyze your chats and build a persistent personality/memory profile. Keep automatic daily/background extraction off unless you explicitly need it, review what is stored under user-data and cache/embeddings, and avoid using it on other people’s conversations or team/employment contexts without clear consent.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (30)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 82% confidence
Finding: The skill documents file read/write behavior, persistent storage, backups, and export paths, but does not declare permissions. This creates a transparency and consent gap: a host or user may believe the skill is limited to chat-time analysis when it can also persist and manage local data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 89% confidence
Finding: The declared purpose frames the skill as dialogue extraction and memory analysis, but the document describes broader capabilities including embeddings, clustering, similarity search, persistent storage, backups, and batch scripts. This mismatch impairs informed consent and can hide materially more invasive processing than a user would reasonably expect.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The document describes capabilities that go beyond the skill's stated two-mode purpose, including semantic retrieval, clustering, persona distillation, report generation, and persistent data handling. This scope expansion is dangerous because it increases the attack and privacy surface without clear user consent, governance, or alignment to the declared functionality.

Context-Inappropriate Capability

Medium

Confidence: 87% confidence
Finding: A proposed 'fossil sharing market' is highly sensitive in the context of personality modeling because the 'fossils' appear to be inferred personal and behavioral data derived from user conversations. Enabling sharing or exchange of such data creates a clear risk of privacy abuse, re-identification, and secondary use beyond the original purpose.

Context-Inappropriate Capability

Medium

Confidence: 97% confidence
Finding: The skill explicitly states that daily extraction may occur 'without the user's awareness', which is an autonomous background processing behavior that exceeds normal expectations for an interactive analysis skill. Hidden profiling materially increases privacy risk because users may not realize ongoing conversations are being continuously mined into a persistent personality model.

Description-Behavior Mismatch

Medium

Confidence: 90% confidence
Finding: The skill specifies storing fossils, source quotes, persona profiles, indexes, and timeline data in persistent local files, which goes well beyond a transient chat feature. Persisting sensitive inferred traits and supporting quotes increases the blast radius of compromise and creates long-lived privacy exposure.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The code caches embeddings derived from user text and persists them to disk, creating retained artifacts of conversation-derived data beyond transient processing. Even though embeddings are not raw text, they can still be sensitive metadata and may enable later inference, correlation, or unauthorized reuse if the cache is accessed.

Description-Behavior Mismatch

Medium

Confidence: 88% confidence
Finding: Initializing SentenceTransformer with a model name can trigger automatic downloads from external sources if the model is not already present locally. In a skill focused on extraction and memory analysis, undeclared network access can expose metadata, violate deployment expectations, and introduce supply-chain and privacy risks.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill is explicitly designed to extract personality traits, memories, emotions, and social patterns from conversations, which is sensitive inferred personal data. Describing this processing without any warning, consent mechanism, retention notice, or privacy safeguards is dangerous because users may be profiled and tracked without informed understanding.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The example writes a generated personality/profile report to disk without warning that the output may contain highly sensitive inferred data. Persisting such reports locally increases the risk of unauthorized access, accidental disclosure, backup leakage, or later misuse by other tools or users on the system.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The README explicitly describes scanning existing historical conversations and enabling recurring background extraction, but it does not present meaningful privacy warnings, consent requirements, scope limits, or data-handling safeguards. Because this skill is designed to infer sensitive personality traits from conversation history, silent or lightly-notified background analysis materially increases the risk of covert profiling, overcollection, and misuse of intimate user data.

Vague Triggers

Medium

Confidence: 76% confidence
Finding: The trigger list includes broad terms such as '灵魂', '人格建模', and '查看人格' that can plausibly occur in ordinary conversation. Overbroad triggers increase the chance of accidental activation, which is especially risky here because activation leads to profiling and memory analysis behavior.

Missing User Warnings

High

Confidence: 95% confidence
Finding: The skill describes scanning historical conversations and extracting structured personality features without a clear privacy notice, data-use explanation, or consent workflow. Mining past chats for inferred traits can expose intimate behavioral and emotional information that users did not expect to be repurposed into a profile.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The background auto-extraction section states that processing can happen with low visibility and even without user awareness, yet it does not provide an adequate warning, persistent indicator, or meaningful consent management. Hidden processing of ongoing conversations into personality profiles is a serious privacy and trust violation.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The document promotes personality extraction, psychological analysis, team profiling, and long-term memory distillation without any privacy, consent, retention, or misuse safeguards. In the context of an agent skill designed for background extraction and profiling, this materially increases the risk of covert surveillance, unauthorized sensitive inference, and harmful secondary use of personal data.

Vague Triggers

Medium

Confidence: 89% confidence
Finding: The keyword list contains many broad, high-frequency everyday terms such as emotions, social words, and routine life references, which can cause over-collection by matching ordinary conversation far beyond narrowly scoped user intent. In a skill explicitly designed for人格建模与记忆沉淀 with automatic/background extraction, these triggers materially increase the chance of capturing sensitive personal data without sufficiently specific gating.

Vague Triggers

Low

Confidence: 81% confidence
Finding: The schema defines persistent storage, backup, and history paths for user-derived persona and memory data, but it does not encode any activation scope, consent boundary, retention guardrails beyond backup days, or limitations on when extraction/distillation should run. In the context of a skill explicitly designed for personality modeling, memory extraction, and background automatic operation, this increases the risk of over-collection and long-lived storage of sensitive user data without sufficient policy constraints.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The implementation writes embeddings to a local JSON cache without any user-facing notice, consent, or retention disclosure. For a memory/personality modeling skill handling conversation-derived content, silent persistence materially increases privacy risk because users may not expect semantic representations of their inputs to be stored.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The module extracts highly sensitive personality, autobiographical, emotional, and social inferences from user conversations and can persist them to disk without any consent gate, warning, minimization, or retention control. In the context of a memory/persona skill, this is materially risky because users may not expect inferred profile data and source quotes to be stored as durable artifacts.

Vague Triggers

Medium

Confidence: 94% confidence
Finding: The trigger list includes very broad everyday phrases such as “灵魂”, which can easily appear in ordinary conversation and unintentionally activate the skill. In a skill focused on persona modeling and memory extraction, accidental activation increases the risk of collecting or processing sensitive user content without clear, deliberate consent.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The manifest description advertises automatic weekly/daily extraction and background operation, but does not show clear activation boundaries, consent renewal, or scope limitations. For a memory/persona extraction skill, this can normalize ongoing collection of user conversations and create privacy and profiling risk if users do not fully understand or control when extraction occurs.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The recommended practices encourage routine, ongoing extraction and periodic distillation of user conversation data into personality reports, which normalizes continuous profiling and retention. In this skill context, that is especially dangerous because the collected data is deeply sensitive and longitudinal accumulation increases harm from breach, misuse, or unauthorized inference.

Ssd 3

Medium

Confidence: 97% confidence
Finding: This section promotes continuous extraction from live chats, bulk analysis of prior conversations, and scheduled automated processing of user interactions to build a persistent personality model. In the context of a memory/persona skill, that is sensitive behavioral profiling; without strict consent, retention limits, and access controls, it creates a substantial privacy and surveillance risk.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The best-practice guidance explicitly advises keeping complete historical records of early extracted traits for evolution analysis, encouraging indefinite retention of highly sensitive inferred personal data. Long-term preservation of personality inferences magnifies harm from unauthorized access, repurposing, secondary analysis, and deanonymization, especially because inferred traits can be more sensitive than raw chat text.

Ssd 3

High

Confidence: 96% confidence
Finding: The skill directs continuous collection and analysis of historical and ongoing conversations into a persistent personality profile. Because the modeled data includes inferred cognitive, emotional, autobiographical, and social traits, misuse or unauthorized access could expose highly sensitive personal information beyond the original chat content.

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal