ClawHub

persona-creator

Security checks across malware telemetry and agentic risk

Overview

The skill does what it advertises, but it processes stored chat history into persistent persona files and leaves sensitive intermediate data insufficiently contained.

Install only if you are comfortable with the skill reading local chat-history memory files and generating a reusable profile from them. Use a narrow memory directory, avoid histories containing secrets or sensitive personal data, use simple usernames without path separators, review generated persona JSON before role-play, and delete /tmp/persona_meta.json, /tmp/persona_analysis_prompt.txt, and persona backups after use if they are not needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (11)

Lp3

Medium
Category
MCP Least Privilege
Confidence
87% confidence
Finding
The skill explicitly instructs reading from memory/*.md and writing persona profiles, backups, and temporary analysis files, yet no permissions are declared. That creates an authorization gap where the platform and user are not clearly informed that historical conversation data will be accessed and persisted, increasing the chance of unintended data exposure or misuse.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script trusts `meta['persona_dir']` and `meta['user']` to construct the output path, then creates directories and writes JSON there without verifying the path stays within an expected `persona/` base directory. If an attacker can influence the metadata file produced upstream, they can redirect writes to arbitrary filesystem locations or overwrite unintended files, which is especially risky in an agent skill that processes LLM-derived and user-influenced data.

Vague Triggers

Medium
Confidence
84% confidence
Finding
Using a broad trigger like "persona" can cause accidental activation during normal conversation. In this skill, accidental invocation is more sensitive than usual because activation can lead to reading historical memory files and generating persistent user profiles from prior chats.

Vague Triggers

Medium
Confidence
82% confidence
Finding
A standalone trigger like "refresh" is ambiguous and can be spoken in many unrelated contexts, making unintended skill activation likely. Because refresh can lead to reprocessing stored conversations and updating persona artifacts, the consequence is unauthorized profiling rather than a harmless misfire.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill is designed to mine historical chat logs for style analysis and create durable persona records, but it does not present a clear privacy notice or consent flow. This is risky because users may not realize prior conversations are being summarized, transformed, and stored in a reusable profile.

Missing User Warnings

Low
Confidence
76% confidence
Finding
The role-play mode persists behavioral shaping based on a saved persona without a strong warning that future responses may continue to reflect stored profile data until cleared. This can confuse users about when profiling is active and increase the chance of unwanted impersonation or disclosure of inferred traits in later exchanges.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The script writes extracted historical user messages and metadata to /tmp, which is a shared, broadly accessible location on many systems. Because these files contain conversation-derived personal data, other local users, processes, containers, or forensic tooling may read or retain sensitive content beyond the user's expectations.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The prompt file contains the full analysis prompt plus historical user utterances, and it is written to a predictable path in /tmp. This creates a direct confidentiality risk because private chat history is materialized in plaintext where unintended local readers or later processes can access it, and the fixed filename increases collision and disclosure risk.

Ssd 3

Medium
Confidence
90% confidence
Finding
The core workflow deliberately extracts user-specific speech patterns from stored conversations and turns them into a structured persona profile. That is privacy-sensitive profiling: it derives persistent attributes from historical user content and can later be used to imitate or infer personal characteristics beyond the user's immediate request.

Ssd 3

Medium
Confidence
91% confidence
Finding
The workflow feeds analysis prompts derived from historical memory back into the LLM and writes the resulting summaries to disk, creating a secondary processing pipeline for prior conversations. This increases exposure because sensitive details from chat history may be reproduced, transformed, and retained in additional files such as /tmp outputs and persona JSON artifacts.

Ssd 3

Medium
Confidence
90% confidence
Finding
The script aggregates raw user utterances from memory files and forwards them to an LLM-oriented prompt outside their original conversational context. In this skill context, that broad reuse of historical chat content can expose sensitive personal information, secrets, or private preferences to downstream model-processing and operators without clear minimization, consent, or scoping controls.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal