ClawHub

Lumi Diary

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local diary skill, but it needs Review because it persistently profiles people and archives group chat/media with limited consent, preview, and recovery controls.

Install only if you intentionally want a local agent to keep durable memories, profiles, milestones, media references, and group highlights. Use it in group chats only after participants know it is archiving, set the vault path deliberately, back up important memories before allowing deletes, and import .lumi capsules only from trusted sources.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (11)

Description-Behavior Mismatch

Low
Confidence
90% confidence
Finding
The skill claims all I/O is sandboxed to a vault, but the vault root is taken from an environment variable without constraining it to a safe base path. That makes the 'local-first sandboxed' claim unreliable, because a manipulated runtime environment can cause the skill to operate on arbitrary filesystem locations.

Context-Inappropriate Capability

Low
Confidence
88% confidence
Finding
Reading environment variables is an extra trust boundary not obviously necessary for a diary feature, and here it controls where user data is stored. In practice this can be abused by a hostile launcher or modified environment to redirect diary content and exported artifacts to unintended locations.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The module advertises that all I/O is sandboxed to the vault, but import_capsule accepts an arbitrary file_path and extracts an untrusted ZIP with extractall() into a temporary directory. A crafted archive can exploit path traversal during extraction or otherwise violate the stated trust model before any manifest validation occurs.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README explicitly says Lumi maintains portraits for everyone it meets and proactively checks milestones at the start of each conversation, but it does not clearly warn users that it is storing and processing personal profile data about other people. In a memory/diary skill operating on local chats, this can lead to non-obvious collection of birthdays, anniversaries, impressions, and social metadata without informed consent from the user or participants.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes group-chat archiving, highlight capture, and annotation stitching, but does not clearly warn that other participants' messages, photos, and media may be persisted into the local vault. Even though storage is local-first, silently retaining third-party communications can create privacy and consent issues, especially in group settings where participants may not expect durable recording.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill persistently stores sensitive personal and group-chat data, including milestones, impressions, media, and identity-linked fragments, but does not present a clear, explicit privacy warning or consent flow at the point of collection. In a group context, this can lead to non-obvious recording of other people's content and create privacy and social harm even if the data remains local.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Exporting and importing memory capsules that may contain media, personal memories, and structured metadata introduces clear confidentiality and integrity risks, but the skill text does not warn users about sharing sensitive data or merging untrusted capsules. Users could accidentally disclose private content or import harmful/unwanted data into their local vault.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Importing a capsule automatically merges external content, media, and metadata into the local vault with no confirmation, provenance check, or trust prompt. In a diary skill handling sensitive personal memories, silent import increases the risk of unwanted data poisoning, storage abuse, and confusing or manipulative content being blended into trusted records.

Ssd 3

Medium
Confidence
87% confidence
Finding
The instructions direct the agent to persist personality traits, preferences, and milestones for reuse in future interactions, creating a long-term profiling store of sensitive personal data. Even when local-only, this increases privacy risk because the retained data can surface unexpectedly later and may include highly personal inferences the user did not realize were being recorded.

Ssd 3

High
Confidence
93% confidence
Finding
The skill is designed to archive group conversations together with sender-linked identifiers for later retrieval and rendering, which creates a significant privacy risk for non-owner participants. Because the skill has read/write local filesystem access and is intended to retain identifiable multi-party content over time, misuse or misunderstanding could expose private group history and relationships.

Ssd 3

Medium
Confidence
85% confidence
Finding
The skill explicitly encourages saving embarrassing or cringe moments as keepsakes for future callback, which normalizes retention and resurfacing of potentially humiliating content. This can cause emotional, reputational, and relational harm, especially in group settings where subjects may not have consented to archival or later reuse.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal