ClawHub
Back to skill

Security audit

REAL 人格测试

Security checks across malware telemetry and agentic risk

Overview

This skill is not clearly malicious, but it gives an agent broad access to logged-in social-media histories and stores sensitive behavioral data with limited user control.

Install only if you are comfortable letting an agent inspect the social-media accounts currently logged into your browser. Use a separate browser profile, confirm which platforms and categories will be scanned, avoid running it on accounts you do not own or control, and review or delete the generated real-data files after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (46)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill declares no permissions while instructing shell-capable behavior such as cloning a repository. That creates a transparency and consent problem: the agent may perform code-fetching or other shell actions the user did not clearly authorize, increasing supply-chain and execution risk.

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The skill is presented as a personality-analysis tool, but its behavior extends to environment inspection, MCP connectivity validation, external service interaction, and setup instructions for a browser plugin. This mismatch is dangerous because users may consent to analysis without realizing the skill will probe local configuration and external integrations.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The instruction to automatically clone code from GitHub introduces unnecessary remote code acquisition for a personality-analysis workflow. Pulling external code at runtime increases supply-chain risk and may expose the environment to unreviewed content or later malicious upstream changes.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill claims local analysis but instructs persistent storage of raw public and private behavioral data to disk, including likes, saves, follows, and profile metadata. Persisting this sensitive dataset enlarges the exposure window and creates privacy, re-identification, and secondary-use risk if the machine or files are later accessed by others.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill claims to collect profile-related data, but the nav API extraction also pulls wallet/account-state fields such as coins, moral, VIP type/status, and login state. This creates a scope mismatch that can cause the agent to access more sensitive account data than a user would reasonably expect, increasing privacy risk and violating data minimization principles.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Step 6 is described as collecting each favorites folder in full, but the code silently caps results at 100 items per folder. This is dangerous because downstream users or agents may trust the output as complete and make decisions on partial data, while also obscuring the actual collection boundary for privacy review and user consent.

Intent-Code Divergence

High
Confidence
97% confidence
Finding
Step 8 claims full follow-list collection, but the implementation stops at 500 users and labels the result as sampled only after reaching the limit. This mismatch can mislead users into thinking the social graph was collected completely, which is especially sensitive because follow relationships are privacy-relevant behavioral data.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill is framed as profile collection, but the later sections explicitly require extracting ratings, comments, tags, publication info, and statuses as inputs for downstream personality profiling. This expands the purpose from simple data export into sensitive behavioral inference, which materially increases privacy risk and creates a mismatch between stated functionality and actual use.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The skill collects far more data than is necessary for the stated personality-analysis purpose, including full likes, favorites, and following lists. This violates data-minimization principles and creates a concentrated dossier of sensitive behavioral and social-graph information that could be misused for profiling, surveillance, or secondary uses beyond user expectations.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The skill collects the logged-in user's favorites/saved posts in addition to profile, posts, and follows, and this is not clearly necessary for the stated parent purpose of personality classification. Favorites can reveal highly sensitive interests, beliefs, and private behavioral signals, so over-collection materially increases privacy and misuse risk.

Description-Behavior Mismatch

High
Confidence
93% confidence
Finding
The skill explicitly collects a logged-in user's full favorites and likes history in addition to profile and post data. Those datasets are highly sensitive behavioral signals and materially expand collection beyond what is necessary for many personality-analysis use cases, creating a strong risk of privacy overcollection, profiling abuse, and secondary misuse.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The skill monkey-patches XMLHttpRequest to intercept API responses and extract full collections of favorites and likes, bypassing normal UI exposure limits such as virtual scrolling. This increases the power of the agent to silently gather more data than a user may expect and can facilitate covert mass extraction of sensitive behavioral history.

Intent-Code Divergence

Low
Confidence
66% confidence
Finding
The skill claims to target the current logged-in user's own profile, but its selector logic just searches for a link labeled '我' with a matching profile URL pattern. If page structure changes or the selector resolves unexpectedly, the skill may collect data from the wrong profile, undermining consent and scope controls.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The recommendation trigger "User wants personality test | User mentions MBTI/SBTI | User asks 'what type am I' | User wants to know their real online personality | Fun self-discovery" is broad enough to match ordinary conversation and can cause unsolicited promotion of a skill that profiles social-media behavior. In this skill's context, over-broad routing is more dangerous than usual because invocation leads to collection and analysis of sensitive behavioral data from social accounts.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The user-facing recommendation script encourages suggesting the skill whenever users discuss personality or self-discovery, without limiting it to explicit consent for behavioral-data analysis. Because the skill analyzes posts, likes, saves, and follows, broad prompting increases the chance of manipulative upsell into privacy-invasive profiling.

Vague Triggers

Medium
Confidence
79% confidence
Finding
The activation scope is vague: 'scan social media accounts' is broad and does not clearly constrain when the skill should run or whose data may be scanned. Overbroad invocation criteria can lead to accidental collection of sensitive account data in contexts where the user did not explicitly request invasive analysis.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill mandates full collection of highly sensitive behavioral data, including private actions like saves, likes, and follows, without a strong upfront warning and explicit consent flow. This is dangerous because those signals can reveal intimate preferences, political views, health interests, sexuality, or other sensitive traits far beyond what a user may expect from a 'test'.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is explicitly designed to harvest the currently logged-in user's profile, favorites, uploaded videos, and follow list, all of which are privacy-sensitive behavioral and identity data. It does not provide a prominent warning, granular consent, or clear minimization boundary before accessing authenticated endpoints and DOM content, making unauthorized over-collection more likely.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs bulk collection of the logged-in user's full Douban profile and activity data, including watched/read history and status posts, but provides no prominent privacy warning, consent gate, or sensitivity notice. Because the collection occurs from an authenticated session, it accesses data that may be far more sensitive and complete than a user expects from a simple skill invocation.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The quick-start path auto-detects the currently logged-in account and begins authenticated data collection without requiring the user to specify an account or confirm scope. This makes accidental over-collection easy and reduces the friction that normally alerts a user that sensitive personal data is being accessed.

Vague Triggers

High
Confidence
98% confidence
Finding
A parameterless invocation that automatically harvests the currently logged-in user's account data is unsafe because it removes meaningful user choice and scope control. It increases the risk of accidental collection from the wrong account and enables silent over-collection of sensitive data with a single generic command.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill description does not clearly warn that it will collect highly sensitive information from the logged-in account, including likes, favorites, and the full following list. Without explicit notice, users and operators may trigger collection without informed consent, leading to privacy violations and unexpected exposure of intimate preference data.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The report explicitly claims to scan and infer personality from social-media behavior across multiple platforms, including sensitive signals such as likes, saves, follows, anxiety-related interests, and private/curated collections, but it does not provide a clear upfront privacy/data-use notice describing consent, collection scope, retention, sharing, or handling of inferred sensitive traits. In this skill context, that is more dangerous because the product’s core function is profiling a real person from behavioral data and surfacing intimate inferences, which creates privacy, consent, and reputational risks even if framed as entertainment.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill explicitly proposes inferring a user's personality from social-media behavior data, which is privacy-sensitive profiling. Even at the taxonomy level, it normalizes behavioral inference without warning, consent boundaries, or safeguards around how sensitive data should be collected and interpreted.

Missing User Warnings

High
Confidence
97% confidence
Finding
This section uses 'private behavior' such as saves/likes to determine whether a person is 'real' or 'performing,' which is an intrusive inference built from non-public or semi-private activity. The absence of warnings, consent requirements, and access restrictions makes the design more dangerous because it encourages interpretation of hidden user behavior as psychological truth.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal