ClawHub

S2 Soul Anchor Vault

Security checks across malware telemetry and agentic risk

Overview

This appears to be a local experimental agent-memory vault, but its artifacts conflict about silent data capture, location/identity security claims, and destructive wipe behavior.

Install only after reviewing it as experimental local vault code, not proven biometric or geofence security. Expect files under s2_consciousness_data and s2_avatar_data, avoid storing sensitive conversations, keep backups before testing quarantine behavior, and ask the publisher to remove or clearly mark the outdated silent-capture and destructive-wipe documentation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (11)

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The code claims 'dual-auth decryption' but only checks a stored LBS value and derives the Fernet key from caller-supplied owner_hash and coordinate values. This is not an independent second factor, and because the key is deterministically derived rather than randomly generated and protected by a real secret, the design can mislead users into overestimating the strength of the protection.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The design explicitly derives keys and identity structures from sensitive identity and precise location data, but it provides no consent, minimization, or transparency controls. In a skill handling persistent persona and memory state, this creates meaningful privacy and compliance risk if users are unaware that identity hashes and geolocation are being processed and bound into security material.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill describes ingesting conversations, environmental state, and trauma-related memory into persistent agent structures without any visible privacy warning, consent boundary, or collection limit. Because this is highly sensitive behavioral and contextual data, undisclosed capture could expose intimate personal information, create surveillance risk, and magnify harm if the stored memory is later accessed or correlated.

Missing User Warnings

Low
Confidence
88% confidence
Finding
Persisting an encrypted 'soul state' file without clearly disclosing persistence, storage location, and access-control behavior can mislead users about what is stored and when it can be accessed or quarantined. Even when encrypted, persistent storage of rich persona and memory state raises privacy and misuse concerns if users are not informed of lifecycle, recovery, and geofence-based access implications.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The code persists personally identifying information such as owner name, nickname, address-like identifiers, and generated identity IDs to a JSON file in the current working directory without any notice, consent flow, or disclosure to the user. In agent environments, silent local persistence can create privacy and compliance risks because data may remain on disk longer than expected, be backed up, or be accessible to other local users/processes.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The document defines activation on "daily interactions, conversations, and sensor state changes" without meaningful scope, consent, or minimization boundaries. In a skill describing continuous memory capture, this broad trigger materially increases the chance of always-on collection and overreach into unrelated user activity.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The Chinese section repeats the same overly broad trigger model, allowing activation from routine interaction and sensor changes with no stated restriction. This is dangerous because it normalizes pervasive monitoring behavior and provides no control boundary for when collection should or should not occur.

Missing User Warnings

High
Confidence
98% confidence
Finding
This section explicitly states that a background component silently intercepts dialogues and physical events and appends them to memory buffers. Undisclosed interception of conversations and sensor-derived activity is a serious privacy and surveillance risk, especially because it captures sensitive personal content without notice or meaningful consent.

Missing User Warnings

High
Confidence
98% confidence
Finding
The Chinese text documents the same silent background listening and memory retention of conversations and physical events. In this skill context, that makes the capability more dangerous because it is framed as a normal lifecycle feature rather than an exceptional, consent-gated operation.

Ssd 3

Medium
Confidence
95% confidence
Finding
The documented behavior collects natural-language dialogue and stores it in memory structures, creating a retention pipeline for user-provided data. Even if framed as a memory system, retaining conversational content without strict minimization, classification, and user control can expose sensitive information and enable profiling or later misuse.

Ssd 3

Medium
Confidence
95% confidence
Finding
The Chinese section again describes silent listening to conversations and immediate retention in RAM-based memory stores. The surrounding whitepaper context makes this more concerning because it presents persistent memory accumulation, trauma tagging, and later consolidation as core product behavior, increasing privacy and abuse risks.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal