ClawHub

TELOS

Security checks across malware telemetry and agentic risk

Overview

TELOS appears to be a legitimate personal-life context skill, but it needs Review because it can silently load very sensitive personal files and its restore tooling can write outside the intended Telos area if invoked with crafted inputs.

Install only if you want an assistant to maintain and consult a local personal life profile. Confirm which TELOS directory is actually active before use, avoid storing secrets or detailed trauma/health information unless you understand the privacy risk, install the optional hook only if you want automatic context injection, and avoid restore/restore-file commands until path validation is fixed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (16)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill metadata says TELOS data lives in ~/clawd/telos/, while the body instructs reads and writes under $OPENCLAW_WORKSPACE/telos/ with a default of ~/openclaw/telos/. This inconsistency can cause the agent or hook to read, update, back up, or restore the wrong directory, potentially exposing or modifying unintended personal files and undermining the user's expectations about where sensitive data resides.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The hook resolves TELOS data from OPENCLAW_WORKSPACE/CLAWD_WORKSPACE/openclaw/telos rather than the manifest-described ~/clawd/telos location. This can cause the agent to read and inject data from an unintended workspace-controlled directory, creating a privacy/integrity risk if the workspace is shared, attacker-influenced, or simply different from the user's expected personal store.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The restore path logic explicitly allows an absolute path to be used as the snapshot source, bypassing the intended restriction to snapshots stored under the Telos snapshots directory. In a skill that is supposed to operate only on the user's Telos backup set, this expands scope to arbitrary filesystem reads and then copies that content into the live Telos directory, enabling unauthorized import of unrelated local data or destructive replacement from attacker-chosen locations.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The restore-file flow joins untrusted filename input directly with TELOS_DIR and also uses the provided version directly under BACKUPS_DIR without validating either value. An attacker can supply traversal sequences such as ../ to overwrite arbitrary files reachable from the workspace, and can potentially read from unintended backup paths, which is especially risky because this skill manages sensitive personal planning data and may run with broad user filesystem access.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger examples are phrased broadly enough that the skill may activate during ordinary conversation about goals, beliefs, books, or life strategy, causing unexpected reads or updates of highly sensitive personal files. In a skill specifically designed to ingest and act on private life-planning data, ambiguous activation boundaries increase the risk of unintended context loading and over-collection of personal information.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The README promotes automatic reading and context injection of TELOS files containing deeply personal data, but the privacy warning is delayed and not prominent where this behavior is introduced. Users may not realize that sensitive beliefs, traumas, goals, and other personal records can be automatically loaded into model context, increasing exposure risk within the agent environment and any connected tooling or logs.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The trigger rules are intentionally broad, covering generic personal topics like career, investments, relationships, priorities, and life strategy, and instructing the system to 'always check telos first.' In practice this can cause over-collection and unnecessary loading of highly sensitive personal context when the user did not explicitly request TELOS access, increasing privacy risk and the chance of accidental disclosure in responses or prompt context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The loading rules explicitly instruct the agent to read personal files and 'absorb silently' without announcing access, despite the files containing missions, beliefs, traumas, challenges, and other deeply sensitive material. Silent access removes meaningful user awareness and consent at the moment of use, making unauthorized processing of personal data more likely and amplifying harm if the context is later echoed, logged, or injected through hooks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The template explicitly asks the user to record formative traumatic experiences, which is highly sensitive mental-health and personal history data. In the context of a skill that stores this material under a local life-OS directory and uses it as ongoing AI context, collecting such data without any privacy warning, minimization guidance, or handling safeguards increases the risk of over-collection, unintended exposure, and downstream misuse.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This template explicitly encourages users to record trauma history, impacts, behavioral patterns, and processing status—highly sensitive mental-health and autobiographical data. While the file notes the content is 'private,' it does not warn about storage, backup, sync, access-control, or retention risks, which is especially important in a skill designed to read, update, back up, and restore data from a local directory.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The eval prompt uses a very broad natural-language trigger, which can cause the skill to activate on vague user input without clear intent boundaries. In this skill, activation leads to reading and modifying sensitive personal data under ~/clawd/telos/, so over-broad triggering increases the chance of unintended access, modification, or disclosure of the user's life-planning information.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The eval expects the skill to treat a broad conversational statement plus 'add it to telos' as sufficient to update persistent storage, which is risky because natural-language requests can be ambiguous or injected into unrelated conversations. Given that telos stores sensitive personal beliefs, goals, and history, unconstrained write triggers can lead to accidental persistence of private, manipulative, or attacker-influenced content.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The hook automatically injects personal TELOS files into system context whenever keyword heuristics match, without explicit per-request consent, notice, or preview. Because these files may contain highly sensitive life-planning data, beliefs, challenges, or trauma-related material, this creates a real confidentiality risk: private data can be exposed to the model or downstream tooling unexpectedly, including on broad or ambiguous prompts.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger phrase "help me fill telos" is broad enough to match ordinary conversational requests, which can cause the skill to activate unintentionally and begin collecting or writing sensitive personal information. In a skill centered on life goals, beliefs, and personal strategy, accidental invocation increases privacy risk because the subject matter is inherently sensitive.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill directs creation of directories and writing of files in ~/clawd/telos/ without first warning the user that local files will be modified. This is dangerous because users may believe they are only having a conversation, while the agent is actually persisting sensitive personal data to disk, creating both privacy and integrity risks.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrase for batch extraction is open-ended and authorizes the agent to identify and persist 'all telos-relevant content' from a conversation or interview without explicit scope, consent, or minimization rules. In a skill that writes to a user's long-term personal knowledge store, this can cause over-collection of sensitive data, accidental persistence of transient/private statements, and prompt-driven exfiltration of unrelated context into durable files.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal