Emotion State

Security checks across malware telemetry and agentic risk

Overview

This emotion-tracking hook is mostly coherent, but it can share sensitive inferred emotion state across agents and send conversation text to external classifiers without sufficiently clear privacy controls.

Review before installing. Use this only if you are comfortable with inferred emotion history being stored across sessions, inserted into future prompts, and possibly sent with raw message text to OpenAI or a configured classifier. For sensitive work, set EMOTION_MAX_OTHER_AGENTS to 0, avoid third-party classifier settings unless explicitly approved, and establish a way to inspect and delete the emotion-state.json files.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
System Prompt LeakageDirect Leakage, Indirect Extraction, Tool-Based Exfiltration
MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (11)

Lp3

Medium

Category: MCP Least Privilege
Confidence: 92% confidence
Finding: The skill documentation instructs users to install a hook that uses environment variables and makes outbound network calls, yet the skill declares no corresponding permissions. This creates a transparency and consent gap: operators may enable a component with broader capabilities than the manifest suggests, which is risky for a prompt-injecting hook that also persists state.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The hook injects a synthesized <emotion_state> block into the agent bootstrap context via EMOTIONS.md, which changes the model's prompt and behavior surface beyond simple emotion tracking. This is effectively prompt/context injection capability hidden behind an emotion-tracking skill, and because the injected content is derived from prior conversation and other state, it can bias future responses or become a channel for indirect prompt injection.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The skill enumerates sibling agent directories and reads emotion-state files from other agents, giving it cross-agent visibility unrelated to the stated purpose of tracking the current interaction's emotional state. This breaks isolation assumptions and can leak sensitive inferred state across agents, which is especially risky because emotion data is intimate and may influence downstream agent behavior.

Description-Behavior Mismatch

Medium

Confidence: 92% confidence
Finding: The file performs external network-based emotion classification either to a custom endpoint or the OpenAI API, but the skill description only mentions emotion tracking and prompt injection, understating that message content leaves the local environment. This mismatch impairs informed review and deployment decisions, increasing the risk of undisclosed data egress.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly states that it stores per-user emotion state across sessions, but it does not present a user-facing privacy warning or consent mechanism. Persistent storage of inferred emotional attributes is sensitive profiling data and can create privacy, compliance, and misuse risks if retained without clear disclosure and controls.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The skill says it injects the latest emotion entries and a trend line into the system prompt, but it omits a clear warning about this prompt augmentation. Injecting inferred user-state into the system prompt materially affects downstream model behavior and can amplify privacy exposure, bias responses, or create a covert channel influencing future interactions.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The hook explicitly stores per-agent emotion history and may transmit that content to an external classifier or OpenAI, but the documentation contains no explicit privacy notice, consent requirement, data-minimization guidance, or warning that sensitive psychological inferences may be sent off-box. Because emotion state can contain highly sensitive personal data and is later injected into the system prompt, this creates a real privacy and prompt-scope expansion risk rather than a purely informational issue.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: When EMOTION_CLASSIFIER_URL is configured, raw message text and role are POSTed to an external classifier without any visible notice, consent, or minimization in this code path. User conversation content may contain secrets or sensitive personal data, so silent transmission to an arbitrary endpoint creates a meaningful privacy and data-handling risk.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The OpenAI classification path sends user/assistant message text to a third-party API for emotional analysis without visible disclosure in this file. Because emotional inference is sensitive profiling, transmitting full text off-box increases both privacy exposure and regulatory/compliance risk.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill persists emotion state and history to a local JSON file, creating durable storage of inferred emotional profiling without any visible disclosure or retention policy in this code. Persistent storage increases the blast radius of compromise and can expose sensitive behavioral history to other local components or operators.

External Transmission

Medium

Category: Data Exfiltration
Content: "env": { "EMOTION_CLASSIFIER_URL": "", "OPENAI_API_KEY": "YOUR_KEY", "OPENAI_BASE_URL": "https://api.openai.com/v1", "EMOTION_MODEL": "gpt-4o-mini", "EMOTION_CONFIDENCE_MIN": "0.35", "EMOTION_HISTORY_SIZE": "100",
Confidence: 88% confidence
Finding: https://api.openai.com/

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal