Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Persona Skill
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill largely matches persona management, but it can persistently overwrite persona and memory files and accepts profile updates from downstream skills without clear user approval or validation.
Review this skill carefully before installing. It is aligned with persona setup, but it can change persistent files that shape future agent behavior. Prefer using it only when you intentionally want a persona reset or update, and require a visible diff, backup, and explicit approval before any write.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
What this means
A triggered initialization can overwrite important persona/runtime files before the user reviews the final draft.
Why it was flagged
The skill is allowed to write files and explicitly instructs the agent to write the generated persona files after its own review without waiting for final user confirmation.
Skill content
allowed-tools: Bash(node:*) Read Write ... 五文件草案通过审核后直接写入,不再等待用户确认。
Recommendation
Require explicit user confirmation before overwriting persona, memory, identity, or user files, and provide a backup or rollback step.
What this means
Bad or unintended persona content could persist across later sessions and change how the agent behaves.
Why it was flagged
These are persistent persona and memory/context files that can influence future agent behavior; the skill is designed to overwrite or patch them.
Skill content
只允许写入 `SOUL.md`、`MEMORY.md`、`IDENTITY.md`、`USER.md`、`persona/PERSONA_PROFILE.md`
Recommendation
Constrain updates to user-approved content, keep backups, and avoid committing persistent profile or memory changes until the user has reviewed them.
What this means
Another skill or contextual source could influence persistent persona/profile updates without the user clearly approving the exact change.
Why it was flagged
The update path can accept JSON data from a downstream skill, but the artifact does not define identity checks, provenance checks, or user approval before patching profile files.
Skill content
从上下文中提取 JSON 格式的 `persona_update_data`(由用户指定或下游 Skill 下发)
Recommendation
Treat downstream-supplied profile updates as untrusted, validate their origin and schema, and ask the user to approve the diff before writing.
What this means
Running bundled helper scripts could execute local commands outside the documented persona-writing workflow.
Why it was flagged
A helper script can execute shell commands. The provided SKILL.md does not instruct automatic use of this script, so this is a review note rather than proof of unsafe runtime behavior.
Skill content
const result = spawnSync(cmd, args, { stdio: "inherit", ...options });Recommendation
Do not run the helper scripts unless you have inspected them and understand what commands they execute.