Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mimic
v3.1.0Turn your AI into anyone. Say a name — auto-collect real data from Weibo/Bilibili/Douyin/Wikipedia, analyze speech patterns and personality with statistical...
⭐ 1· 40·0 current·0 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The SKILL.md promises full automation (scraping Weibo/Bilibili/Douyin/Wikipedia, analysis scripts, SOUL.md generation) and lists ManoBrowser as a dependency. However, the published package contains only README.md and SKILL.md (no scripts or code). The skill therefore relies on fetching additional code from an external GitHub repo to deliver advertised capabilities — a mismatch between claimed capability and what's actually bundled.
Instruction Scope
Instructions direct the agent to collect public posts, subtitles, and other content from multiple social platforms and to optionally git clone a GitHub repo to get automation scripts. The SKILL.md also mentions handling '身边的人' (friends) by using user-provided chat logs. While collection is scoped to public data, the instructions explicitly encourage broad web scraping and accepting private data from users, which creates ethical and privacy exposure and expands the agent's runtime scope beyond simple in‑memory prompting.
Install Mechanism
There is no install spec in the registry package; instead SKILL.md recommends running `git clone https://github.com/ClawCap/Mimic` to retrieve the full project (including scripts). Pointing to a GitHub repo is common, but it means the agent or user must fetch and run external code not reviewed in the packaged skill — a supply‑chain risk. GitHub is a known host (lower risk than an unknown server), but the registry package does not include integrity/verification guidance.
Credentials
The skill declares no required environment variables or credentials and claims 'no login required'. That is coherent for scraping public pages. However, scraping some platforms reliably often requires API keys, rate-limit workarounds, or browser automation (ManoBrowser) that are not declared here. The SKILL.md also permits ingesting user-supplied private chat logs (sensitive) without detailing safeguards.
Persistence & Privilege
The skill does not request elevated privileges or persistent always-on presence (always:false). Data is described as stored locally under mimic-data/ and an explicit delete method is suggested. There is no indication the skill modifies other skills or system-wide settings.
What to consider before installing
This skill aims to scrape public social media to build persona files — that purpose aligns with its instructions, but the packaged skill does NOT include the scraping/automation scripts it references and recommends cloning a GitHub repo and using a separate ManoBrowser skill. Before installing or allowing the agent to run this skill: 1) Review the referenced GitHub repository (https://github.com/ClawCap/Mimic) and ManoBrowser code yourself to ensure they don't contain malicious or unwanted behavior. 2) Be cautious about impersonating living people — legal and ethical issues (and platform ToS violations) may apply. 3) Avoid providing private chat logs or other personal data of third parties; prefer anonymized or synthetic samples. 4) If you allow the agent to git clone or run external scripts, do so in a sandboxed environment and verify scripts before executing. 5) If you proceed, check and periodically delete the mimic-data/ folder and understand that scraping may trigger platform rate limits or require additional credentials not declared here.Like a lobster shell, security has layers — review code before you run it.
latestvk972z4ah53mk6rb6150hs4sz6h83xzkg
License
MIT-0
Free to use, modify, and redistribute. No attribution required.