ClawHub

Westworld Reverie - Self-evolving character

Security checks across malware telemetry and agentic risk

Overview

This instruction-only skill is not malicious, but it needs review because it can persistently change an agent's memory, personality, and identity while its safety rules conflict in important places.

Review before installing. Use the strict profile first, keep auto-triggers disabled, back up MEMORY.md, SOUL.md, and IDENTITY.md, and do not enable High Autonomy unless you intentionally accept unconfirmed persistent persona or identity changes. The pending VirusTotal status and clean static scan do not change this artifact-based Review verdict.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The skill metadata and introductory description claim that SOUL/IDENTITY writes always require confirmation, but the High Autonomy profile later permits `require_confirmation: false` for role changes. This inconsistency can mislead users and downstream agents into believing a safety boundary exists when the document itself provides a path to disable it, enabling silent persona modification.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The document labels the configuration as authoritative and says `require_confirmation: true` applies to all role-file writes, yet a later profile explicitly disables confirmation for role changes. Contradictory 'authoritative' security guidance creates unsafe ambiguity and may cause implementers to honor the less safe branch.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
The High Autonomy profile explicitly sets `require_confirmation: false`, which contradicts the stated invariant that SOUL/IDENTITY writes always require user confirmation. In a memory/persona-management skill, removing confirmation on persona-defining files can allow silent modification of persistent behavior or identity state, increasing the risk of unauthorized or unsafe self-modification.

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The Balanced profile documents `post_hook: { enabled: true }`, conflicting with the skill description that all auto-triggers are disabled by default. This discrepancy can cause users to deploy the skill with autonomous writes enabled when they reasonably expect no automatic execution, undermining consent and increasing the chance of unreviewed memory changes.

Intent-Code Divergence

Medium
Confidence
82% confidence
Finding
Allowing `/reverie enable idle`, `/reverie enable cron`, `/reverie safe`, and `/reverie reset` without confirmation weakens the control boundary around security posture. A user or calling workflow could unintentionally switch profiles or activate triggers after installation, bypassing the intended friction of mandatory profile selection before activation and enabling persistent autonomous behavior changes.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The semantic trigger phrases are broad, conversational, and overlap with ordinary user dialogue such as asking what the agent has learned or requesting personality evolution. This creates a risk of unintended command invocation, especially for actions touching memory or persona files, without the user realizing they are issuing operational commands.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal