ClawHub
Back to skill

Security audit

纪念.skill

Security checks across malware telemetry and agentic risk

Overview

This memorial skill is mostly honest about its purpose, but its voice mode can decrypt and enumerate local WeChat data and create voice clones from private messages, so it needs careful review before installation.

Install only if you are comfortable giving the skill access to sensitive family materials. For voice mode, prefer manual exports where possible, confirm you have legal authority and consent for the WeChat account, chats, participants, and speaker voice, review commands before database decryption, use a dedicated local environment, delete decrypted work directories and raw audio when finished, and clearly label any generated audio as synthetic.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (38)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
技能表面上是“建立纪念档案”,但实际流程包含枚举微信群/联系人、批量提取语音、解析聊天记录、读取照片信息、训练和合成声音模型等高敏感操作,明显超出用户从描述中通常能预期的范围。此类描述—行为不一致会削弱知情同意,使用户在不了解真实数据访问面的情况下授权读取大量第三方和历史隐私数据。

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The installation guide describes capabilities beyond a narrowly stated memorial-profile use case, including chat-record analysis, photo timeline extraction, and later voice/WeChat processing. That scope expansion is security-relevant because it increases the amount and sensitivity of personal data handled, creating a higher risk of privacy violations and user surprise even if the functionality is not overtly malicious.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
Automated WeChat database decryption is a highly sensitive capability because it accesses protected private communications and can expose not just the memorial subject's data but also third-party participants in chats and groups. In the context of a consumer memorial tool, this is more dangerous because grieving users may not recognize that they are being guided through a forensic-style extraction workflow with significant privacy and legal implications.

Intent-Code Divergence

Medium
Confidence
81% confidence
Finding
The statement that all data remains local is misleading because the documented setup requires cloning external repositories and downloading models, which introduces supply-chain and potential network-exposure risks. Even if user memorial data is intended to stay on-device, blanket claims of total locality can cause users to underestimate external dependencies and trust boundaries.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The README explicitly documents a tool that performs WeChat voice extraction with '解密+搜索+导出', which is a sensitive data-access capability beyond simple memorial content organization. Even if framed as local use, decrypting and bulk-exporting private voice messages can facilitate unauthorized access to third-party communications and materially increases surveillance and privacy-abuse risk.

Context-Inappropriate Capability

High
Confidence
91% confidence
Finding
The documented ability to decrypt and search WeChat voice data is not narrowly scoped to the memorial use case and can be repurposed for covert collection of a target's private messages. In this context, the memorial theme does not sufficiently reduce risk because the feature operates on highly sensitive communications and could be misused against living people or non-consenting family members.

Intent-Code Divergence

Medium
Confidence
72% confidence
Finding
Claiming that voice data 'does not leave the device' as an absolute privacy guarantee is misleading when installation and operation depend on external code, models, and toolchains whose behavior is not fully characterized in the README. Users may rely on that assurance when processing extremely sensitive bereavement, chat, and biometric voice data, creating a privacy and trust risk if any component transmits telemetry or downloads remote assets.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
文档声称“所有数据仅本地存储,不上传”,但技能依赖多个通过 `Bash` 调用的外部脚本和训练/合成链路,且没有任何技术控制来保证这些脚本不会联网、下载模型或发送遥测。安全承诺与实际执行边界不一致,会让用户误以为敏感逝者资料、聊天记录和语音样本绝不会离开本机。

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
枚举微信群、列出发送者、批量解析微信/QQ聊天数据属于对第三方通信数据的广泛发现和收集能力,超出了建立纪念档案所需的最小必要范围。即使初衷是纪念用途,这种设计仍会扩大可见数据面,增加误收集无关人员隐私、群聊内容和历史记录的风险。

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The generated SKILL.md grants `Bash` in `allowed-tools`, even though this utility only creates and combines memorial/persona documents. That violates least privilege: any downstream agent invoking the generated skill would receive shell execution capability unrelated to the memorial use case, increasing the risk of command execution, file tampering, or broader environment access if the skill content is later influenced by untrusted material.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The code programmatically retrieves WeChat information, decrypts local message databases, enumerates chats and contacts, and extracts voice messages for arbitrary users in a group. That is a sensitive data access capability far broader than a narrowly scoped memorial workflow, and it enables bulk recovery of private communications from the local device.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The tool obtains live WeChat decryption keys via pywxdump and locates the user's local WeChat data directory, giving it direct access to protected chat history. Accessing secrets and private message stores in this way is highly sensitive and can expose large amounts of personal data unrelated to the memorial use case.

Intent-Code Divergence

Medium
Confidence
89% confidence
Finding
The description frames the tool as extracting a specified person's voice, but the implementation first decrypts full databases and lists groups and contacts, obscuring the real scope of collection. This mismatch increases risk because users may not understand that the tool accesses much more data than the stated purpose implies.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs users to extract and decrypt WeChat chat data and train on voice messages without an explicit privacy, consent, or sensitivity warning. This is dangerous because it normalizes processing intimate communications and biometric voice data, potentially including non-consenting third parties, in a context where users may be emotionally vulnerable and less likely to assess the risks carefully.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README encourages users to ingest chat logs and voice messages as the primary input without prominently warning about consent, bystander privacy, and the sensitivity of family-group communications. That creates a foreseeable risk of collecting private data from multiple participants who never agreed to analysis, storage, or transformation into a persona model.

Missing User Warnings

High
Confidence
95% confidence
Finding
The voice-cloning section describes generating arbitrary speech in a deceased or living relative's voice without a comparably strong warning about impersonation, fraud, consent, and emotional harm. Voice is biometric and highly abuse-prone; presenting cloning as a straightforward feature materially lowers the barrier to misuse for deception or non-consensual reconstruction.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README encourages extracting family WeChat group chats and voice messages to build a memorial without addressing the privacy and consent of other group participants. This can lead users to collect, process, and retain sensitive communications and biometric voice data from uninvolved third parties, increasing the risk of privacy violations and unauthorized data use.

Missing User Warnings

High
Confidence
95% confidence
Finding
技能包含聊天记录解析、语音提取、文件写入、声音模型训练等敏感操作,却缺少清晰的风险提示、数据来源合法性确认和逐步授权。用户可能在哀伤、纪念等高情绪脆弱情境下,未充分理解将处理逝者及第三方隐私数据、生成可被滥用的声音克隆。

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README documents a concrete workflow to extract WeChat voice messages, preprocess them, train a voice-cloning model, and synthesize speech for a deceased person, but it provides no consent, legality, provenance, or privacy safeguards. In this skill context, the combination of memorialization, identity reconstruction, and voice cloning materially increases risk of misuse, including non-consensual biometric processing, impersonation, and emotional/social deception.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The prompt explicitly solicits highly sensitive memorial data such as chat logs, audio, photos, diaries, letters, and social media content without any notice about privacy risks, third-party data, retention, or consent. In a grief-focused context, users are especially vulnerable and may overshare intimate material about both the deceased and living relatives, creating meaningful privacy, dignity, and legal risk.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
In living mode, the skill encourages collection of recordings, voice messages, and private chat histories involving a living person, but does not require that person's knowledge or consent. Because the skill also concerns personality reconstruction and voice cloning, the intake materially increases the chance of non-consensual capture and downstream misuse of biometric and intimate personal data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The prompt instructs users to organize recordings/notes into structured text and upload them into an archive, including highly sensitive biographical, emotional, and family data, but it provides no explicit consent flow, retention limits, access controls, or privacy warning. In this skill's context—memorial profiles, personality reconstruction, and voice cloning—the collected material could enable identity misuse, non-consensual digital replicas, family privacy violations, and long-term exposure of intimate personal history.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
This tool can write full transcripts of highly sensitive private audio to disk without any explicit privacy warning, retention guidance, or protective controls. In the memorial context, recordings may contain intimate family history, health data, financial details, or third-party conversations, so silent persistence increases the risk of unintended disclosure through shared machines, backups, or later reuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The self-interview guidance explicitly recommends recording, transcribing, labeling, and uploading highly sensitive first-person life narratives into a memorial archive, but it does not require informed consent for storage/sharing, define access controls, or warn about downstream exposure of intimate family, health, political, or trauma-related disclosures. In this skill’s context—memorialization, personality reconstruction, and voice cloning—such material is especially privacy-sensitive and could be repurposed for profiling, impersonation, or family harm if mishandled.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The tool persists cloned-voice audio to disk by default, including highly sensitive memorial voice output, without any consent prompt, retention warning, or cleanup behavior. In this skill’s context, the generated files may represent intimate biometric/identity-linked data of deceased relatives, so silent persistence increases the risk of unintended disclosure, misuse, or later exfiltration from shared systems.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.