Back to skill

Security audit

Agent Doppelgänger

Security checks across malware telemetry and agentic risk

Overview

This communication-delegation skill is locally contained, but it can act as the user across message channels while relying on incomplete safety controls and storing sensitive communication/style data.

Review before installing. Only use this skill for real accounts if you are comfortable with a long-running delegate that can draft/send/block messages, stores local copies of message content and style data, and currently has placeholder safety checks. Prefer draft-only operation, disable or make watermarking explicit, confirm audit redaction and deletion controls, and verify the final safety verifier is implemented before connecting sensitive channels.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (10)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill intentionally alters outbound messages with hidden stylistic markers, including deterministic formatting changes and an added signature-like symbol, creating a covert fingerprint on delegated communications. In an identity-proxy communication tool, this is risky because recipients can be unknowingly tagged or correlated across channels, undermining user expectations of transparent delegation and potentially exposing the use of automation.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The code claims to perform a final verification for commitment leakage and tone, but `verify()` always returns `True`, so no actual safety validation occurs before sending. In a tool that autonomously replies on a user's behalf, this can permit overcommitments, unsafe promises, policy-violating content, or reputationally damaging responses to be sent under false assumptions of protection.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script persistently creates and modifies files under the user's home directory, including a training-sample corpus and derived style profile, even though the skill is described as a constrained communication delegate rather than a profile-mutating local state manager. Persistent writes to identity-related profile data increase risk of covert behavior shaping, privacy issues, and unexpected state changes across future sessions.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The implemented behavior bootstraps and mutates a local style profile instead of handling inbound communications and enforcing authority policies as the skill metadata claims. That mismatch is dangerous because hidden or undocumented profile shaping in an identity-proxying skill can silently alter future delegated outputs and erode user control over impersonation boundaries.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The manifest configures the skill to operate in intercept mode across multiple messaging channels and subscribe broadly to inbound message events, but it does not define clear activation boundaries such as allowed senders, approved conversation scopes, explicit user opt-in conditions, or per-channel triggering rules. In an identity-proxying communication skill, this can cause the agent to engage on unintended messages or contexts, increasing the risk of unauthorized drafting, blocking, or identity-misattributed responses despite the declared policy controls.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The manifest enables persistent distilled memory, 30-day retention, and replayable audit logs, but it provides no user-facing disclosure or consent mechanism for storing message-derived data and decision traces. Because this skill handles identity-proxied communications across channels like email, Slack, Discord, and WhatsApp, retained memory and replayable audits may capture sensitive personal, professional, or confidential communications that users and counterparties do not expect to be stored.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The audit logger persists full inbound message content and decisions to local JSONL files without any indication of notice, minimization, redaction, retention control, or access protection. Because this skill handles email, chat, and other delegated communications, the logs may accumulate sensitive personal, business, or financial content that can later be exposed through local compromise, backup leakage, or unintended sharing.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The code writes training sample data to a persistent profile file without notifying the user or obtaining consent. In an identity-proxy context, silently capturing or seeding communication samples can create privacy concerns and influence downstream behavior without transparency.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script overwrites the persisted style YAML profile without warning, which can silently replace previously established identity/style settings. For a delegation skill that aims to preserve identity fidelity, undisclosed overwrites are especially risky because they can unpredictably change future responses attributed to the user.

Session Persistence

Medium
Category
Rogue Agent
Content
sample_file = os.path.expanduser("~/.openclaw/adg/profile/training_samples.jsonl")
    
    if not os.path.exists(sample_file):
        # Create it with current session data as a seed
        seed_samples = [
            "hi",
            "what now",
Confidence
83% confidence
Finding
Create it with current session data as a seed seed_samples = [ "hi", "what now", "gemini flash", "nba news", "give news about kashmi

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.