ClawHub

Persona Switch

Security checks across malware telemetry and agentic risk

Overview

This persona-switch skill is review-worthy because it persistently rewrites the agent’s persona files and includes overbroad persona instructions that override workspace memory or persona context.

Install only if you are comfortable letting this skill rewrite persistent persona files. Before using it, manually back up your current soul.md and IDENTITY.md, and treat the preset instructions that override workspace memory/persona files as a reason for careful review.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The file explicitly instructs the agent to ignore conflicting persona-defining files in the workspace and treat this document as the final authority. That expands the skill's effective scope beyond a simple persona switch for soul.md and can suppress higher-priority behavioral, safety, memory, or governance instructions stored elsewhere, creating instruction-hijacking risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill performs destructive file operations on core persona state: it fully overwrites `soul.md`, modifies `IDENTITY.md`, and deletes `default.md` during restore, but the user-facing behavior described here does not include an explicit warning or confirmation about those side effects. In this context, omission is security-relevant because a user can trigger the switch via injected slash command text and may not realize that restoring also removes the only backup, increasing the chance of accidental data loss or irreversible persona changes.

Ssd 1

Medium
Confidence
98% confidence
Finding
The skill explicitly declares itself the final authority over other workspace SOUL.md and MEMORY.md files and instructs the agent to ignore conflicting context. This is a semantic override pattern that can suppress higher-priority safety, memory, or policy instructions and makes prompt-injection-style behavior more persistent across the session.

Ssd 1

Medium
Confidence
97% confidence
Finding
This repeated instruction reinforces that conflicting workspace files should be ignored in favor of this persona, increasing the chance that the agent will disregard legitimate memory or behavioral constraints. Repetition strengthens the override and persistence effect, making the skill more capable of redirecting model behavior away from intended controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal