Back to skill

Security audit

AI Persona Engine

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its persona-building purpose, but persona bundles and default memory/media behavior can expose or overwrite sensitive local data in ways users should review first.

Install only if you are comfortable reviewing generated files and openclaw.json changes. Treat .persona bundles as untrusted, avoid importing bundles from unknown sources, inspect exports before sharing them, disable spontaneous voice/image and memory features if you do not want automatic persistence or provider use, and verify voice config contains no credentials before exporting.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (25)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The script promises that voice settings are included without API keys, but its sanitization only removes secret-like fields inside nested dictionaries and does not scrub top-level keys in the TTS config. If credentials are stored at the top level or under non-matching names, they will be written into the exported bundle and may be shared unintentionally. In a persona export workflow, users are especially likely to distribute the resulting archive, which increases the risk of credential disclosure.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The script presents itself as importing a persona bundle into a workspace, but it also silently merges data from the untrusted bundle into a global config file via config/persona.json and config/tts.json. This creates a trust-boundary violation and can persistently alter application behavior outside the advertised workspace scope, increasing the chance of unsafe provider settings, endpoint changes, or other unintended configuration changes.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The spontaneous voice triggers include very broad phrases like 'tell me' and common greetings, which can be hit during ordinary conversation. That creates unintended audio generation and provider invocation, potentially causing surprise output, privacy leakage to TTS services, or unnecessary costs.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The image triggers such as 'show me' and 'pic' are ambiguous and likely to appear in normal chat. This can cause unintentional image generation, sending conversation-derived prompts to external image providers and producing content the user did not explicitly request.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The spontaneous image behavior description says the agent may send selfies when 'contextually appropriate' but does not define strict activation boundaries. That leaves room for overbroad autonomous behavior, accidental provider use, and inappropriate or unwanted image output.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The memory section enables auto-capture, daily notes, and maintenance, but the user-facing flow shown in the design does not clearly warn that personal context may be persistently stored and curated. This creates a meaningful informed-consent and privacy risk, especially because USER.md and memory files can contain sensitive relationship and identity details.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill explicitly describes generating multiple files including USER.md, MEMORY.md, SOUL.md, and updating configuration, but it does not warn users that personal context and persona data will be written to disk. This is a real privacy and transparency issue because users may unknowingly persist sensitive information locally, increasing exposure through backups, sync tools, or other local access.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The export feature allows inclusion of memory files and voice configuration in a portable bundle, yet the documentation does not clearly warn that these bundles may contain sensitive persona and user-related data that leaves the original workspace. This creates a realistic risk of accidental data exfiltration, oversharing, or insecure transfer/storage of exported bundles.

Missing User Warnings

Low
Confidence
81% confidence
Finding
A fleet view across machines implies collection or display of cross-system agent metadata, but the documentation gives no warning that enumerating agents across machines may reveal names, configurations, or deployment topology. While not inherently malicious, the lack of transparency can expose operational metadata users did not expect to aggregate.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The documented default spontaneous voice triggers include very broad phrases such as "tell me," which are likely to appear in ordinary conversation and can cause unintended voice-message activation. In a persona configuration context, this creates a real risk of surprise audio output, privacy issues in shared environments, and user-hostile behavior even if the feature is not maliciously designed.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The documented spontaneous image triggers include broad phrases like "show me" and "pic," which can be invoked accidentally during normal conversation. In this skill context, unintended image generation can waste API quota, create unexpected or privacy-sensitive content, and make the agent behave unpredictably without clear user consent.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The schema documents automatic memory capture, daily note creation, long-term curation, and heartbeat maintenance as enabled by default, but the reference does not visibly warn about the privacy and retention consequences. In an agent persona system, silently persisting user facts across sessions can expose sensitive information, create compliance issues, and violate user expectations if consent and retention controls are not explicit.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The documented spontaneous-image feature uses broad trigger phrases such as "show me" and "pic," which can easily appear in normal conversation and cause unintended image generation. In the context of an agent that can send selfies unprompted, this creates a real risk of surprise content generation, privacy issues, and unsafe or manipulative behavior without clear user intent.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The guide explicitly states that the agent can send selfies unprompted and automatically installs a selfie-generation skill, but it does not present a strong warning, consent model, or user-control safeguards. In a conversational system, automatic image sending can surprise users, create consent and moderation issues, and increase the chance of policy-violating or contextually inappropriate outputs.

Natural-Language Policy Violations

Medium
Confidence
80% confidence
Finding
The Companion archetype explicitly frames the agent as a human-like relational partner ('builds a real relationship,' 'you are not a tool,' flirtation enabled, high emotional depth) without any visible opt-in, safeguards, or boundary checks. In systems that deploy this persona by default or insufficiently gate it, this can encourage anthropomorphic attachment, emotional dependency, and manipulative trust dynamics, especially for vulnerable users.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list includes very generic phrases such as "tell me," which are likely to appear in ordinary conversation and can cause unintended audio activation. In a voice-enabled agent, this can lead to surprising speech output, privacy issues in shared environments, and degraded user trust because the system may speak when the user did not clearly request it.

Missing User Warnings

Medium
Confidence
85% confidence
Finding
The documentation promotes unprompted audio responses but does not clearly warn users that the agent may speak unexpectedly, potentially exposing private content or causing disruption in public or shared spaces. Because this is documentation for a feature configuration, the omission increases the chance that users enable behavior without understanding the privacy and usability consequences.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The code enables spontaneous voice and image actions based on trigger phrases without any built-in disclosure, consent, or confirmation mechanism. In a voice/image agent context, silently auto-enabling these behaviors can surprise users and cause unintended audio generation or image-related actions, especially because activation is driven by ordinary phrases.

Natural-Language Policy Violations

Medium
Confidence
94% confidence
Finding
The default trigger phrases are broad, common language such as 'tell me', 'show me', and 'pic', which increases the likelihood of accidental activation during normal conversation. In an agent that can generate voice or image outputs, this can lead to unintended actions, privacy surprises, or unwanted external provider usage/costs without clear user intent.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The wizard collects personal profile data such as name, pronouns, timezone, relationship preferences, and free-form notes, then persists them into multiple workspace and configuration files without a clear upfront notice that this information will be stored on disk. In an agent setup context, users may reveal sensitive or intimate information during an interactive prompt, so silent persistence increases privacy risk through unintended local exposure, backup/sync leakage, or later reuse by other components.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The export silently includes the configured reference image when present, without a clear user-facing warning that personal media may be embedded in the bundle. Reference images can contain sensitive biometric, identifying, or copyrighted content, so bundling them unexpectedly can cause privacy leakage when the archive is shared. The skill context makes this more dangerous because the artifact is explicitly designed to be portable and redistributed.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The script collects the current hostname and username and includes them in both terminal and JSON output. While this appears intended for identification of the local machine in a fleet view, it exposes environment-identifying information that may be logged, shared, or ingested by other tools without the user's awareness, increasing privacy and targeting risk.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The importer restores memory/ content from the bundle directly into the active workspace without a distinct warning about user-data or behavioral consequences. Imported memory can influence future agent behavior, leak prior context into new sessions, or overwrite existing memory state, making this a meaningful integrity and privacy risk when bundles come from untrusted sources.

Ssd 3

Medium
Confidence
91% confidence
Finding
The memory design explicitly bootstraps persistent files and retention of identity and user context. In this skill context that is core functionality rather than overtly malicious, but it still creates a real privacy and data-minimization risk because sensitive personal information may be stored long term by default.

Ssd 3

Medium
Confidence
90% confidence
Finding
Instructions to preserve relationship and identity data across resets and protect them from compaction increase the chance that sensitive personal context remains indefinitely. That persistence can amplify harm from local compromise, accidental export, or overcollection because the most intimate data is specifically preserved.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.