Agent Doppelgänger

Security checks across malware telemetry and agentic risk

Overview

This skill is locally contained but handles identity-like communications while persistently storing message/style data and describing covert provenance behavior, so it needs human review before use.

Install only if you are comfortable with this skill storing local copies of communications and writing-style profiles under ~/.openclaw/adg/. Before using it for real messages, confirm whether watermarking is disabled or clearly disclosed, whether audit logs can be redacted or deleted, and whether the final safety check has been implemented rather than stubbed.

SkillSpector

By NVIDIA

Vulnerability Patterns

Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration

Findings (8)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 78% confidence
Finding: The skill declares no permissions, yet analysis indicates file read/write behavior. That mismatch weakens transparency and consent boundaries: a user may invoke what appears to be a policy-only communication skill without realizing it can access or modify local files. In the context of an identity-proxy agent, undeclared filesystem access is especially risky because profile, message-history, or style-training artifacts can contain sensitive personal data.

Tp4

High

Category: MCP Tool Poisoning
Confidence: 94% confidence
Finding: The described behavior goes beyond the declared purpose by secretly watermarking outbound text, fingerprinting user style, learning from local samples, and writing profile data under a hidden local directory. This creates covert tracking and persistence risks: the agent can embed identifiable markers in messages and accumulate sensitive behavioral data without clear disclosure. In an identity-delegation skill, such hidden style cloning and tagging is more dangerous because users are explicitly trusting the system to speak as them while respecting strict boundaries.

Intent-Code Divergence

High

Confidence: 98% confidence
Finding: The code claims to perform a final safety check for commitment leakage and tone, but `verify()` always returns `True`. In an identity-proxying communication agent, this defeats the last control intended to stop overcommitting, unsafe promises, or policy-violating responses before they are sent.

Context-Inappropriate Capability

Medium

Confidence: 91% confidence
Finding: The script creates and persists behavioral profile data (`training_samples.jsonl` and derived `style.yaml`) in the user's home directory, which goes beyond transient message handling and introduces durable user profiling. In the context of an identity-proxy communication skill, this is more dangerous because stored style fingerprints can be reused to imitate the user across sessions without explicit consent or retention controls.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The specification explicitly proposes a private, subtle linguistic watermark to prove authorship without disclosure. In an identity-proxy communication system, undisclosed covert markers can create hidden signaling, reduce transparency for message recipients, and enable deceptive or non-consensual tracking of agent-authored communications. The skill context makes this more dangerous because the system is designed to impersonate or closely mimic a user's identity across real communication channels.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The function logs full message contents and decisions to persistent JSONL audit files without any disclosure, minimization, or access control shown in this file. Because this skill handles personal communications across potentially sensitive channels, the audit log can become a secondary store of private data and increase confidentiality and compliance risk.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The script writes files under `~/.openclaw/adg/profile/` without prior disclosure, confirmation, or safeguards against overwriting, creating a privacy and integrity risk. In this skill's context, undisclosed writes are especially sensitive because they establish persistent identity-related artifacts that may affect future delegated communications and user impersonation behavior.

Ssd 3

Medium

Confidence: 96% confidence
Finding: Persistently storing raw incoming messages creates a clear data retention and exposure path, especially for a delegated messaging tool that may process sensitive personal, financial, or political content. If the host is compromised, backups are accessed, or logs are mishandled, the full communication history is exposed beyond the primary message system.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal