Back to skill

Security audit

Persona Skill

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed persona setup tool that persistently updates a small set of persona files with user-triggered workflows and no evidence of malware or exfiltration.

Install only if you want OpenClaw to manage persistent persona files. Before confirming an overwrite, review that the files named by the skill are the ones you expect, because changes to SOUL.md, MEMORY.md, USER.md, IDENTITY.md, and PERSONA_PROFILE.md can shape future agent behavior.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
Locking all user-visible output to an `interview_language` unless the user explicitly requests a switch can override the user's current communicative context and reduce transparency and consent around language choice. In a persona-management skill that persistently rewrites core identity/persona files, this constraint can propagate unwanted language settings across generated assets and interactions, increasing the risk of misleading output or user misalignment.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file imposes a hard rule that all user-visible content must use a pre-locked `interview_language` unless the user explicitly requests a switch. That can override or ignore the user's current language preference and create a hidden policy layer that constrains outputs without transparent user consent, which is a prompt-governance issue in a persona skill that rewrites persistent persona assets.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly states that all user-visible content must use a pre-locked `interview_language` unless the user explicitly requests a switch. That creates a policy conflict where the skill can override the user's current language preference or the system's broader language-selection rules, which is a real prompt-scope control issue even though it is framed as a formatting guardrail.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The file imposes a hard language lock for all user-visible output unless the user explicitly asks to switch. In a persona-management skill, this can override or constrain higher-level agent behavior, interfere with system/developer language policies, and be used as a prompt-level control that reduces the model’s ability to respond safely or appropriately in the user’s actual context.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The instruction 'If you change this file, tell the user' implicitly normalizes self-modification of a runtime context file without clearly constraining when such changes are allowed, who may authorize them, or what safety checks must precede them. In the context of a persona-management skill that persistently rewrites identity and memory files, this ambiguity can enable unintended prompt-state drift or unauthorized persistence of adversarial content.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
These lines direct the agent to read and update persistent continuity files when 'stable facts change,' but they do not warn about persistence risks, adversarial user influence, or system integrity implications. Because this skill is explicitly designed to rewrite SOUL.md, MEMORY.md, USER.md, and persona state, the omission increases the chance that untrusted conversational content is stored as durable identity or memory, creating long-lived prompt injection and privacy/integrity risks.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.