ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Living Persona

v1.0.0

Provides OpenClaw agents with dynamic, context-reactive personalities that adapt writing style and tone based on conversation signals and trait propagation.

0· 63·0 current·0 all-time
by@toxzak-svg
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description claim a dynamic persona system; the handler.ts, presets, and reset script all implement trait detection, persistence, and generation-directive injection, which is coherent with the stated purpose. The inclusion of optional SPARK integration (local path + runtime call) is plausible for an 'emotional engine' but is an optional extension that reaches outside the core persona scope and requires executing external project code.
!
Instruction Scope
The SKILL.md and HOOK.md explicitly instruct operators to include memory/persona-inject.md (and persona-state.json) in agents' prompt/context loading. The hook writes persona-inject.md every turn and the default 'structural' mode makes those directives authoritative (not advisory). This is effectively prompt injection by design and will change model behavior beyond simple advisory context. The skill also instructs optional runs of SPARK from a local path, which would execute code outside the hook if enabled.
Install Mechanism
There is no external download/install spec (the hook is installed via openclaw hooks install, which copies the package). No remote URLs, package downloads, or archive extracts are used. That reduces supply-chain risk. However the handler code will run inside the gateway (Node.js) when the hook is enabled — review runtime behavior before enabling.
Credentials
The skill requests no environment variables, no credentials, and writes only to a workspace memory directory. That is proportional to a persona engine. The only notable external-scope requirement is optional SPARK integration, which uses a local filesystem path if enabled; this should be explicitly disabled unless you trust the referenced project.
!
Persistence & Privilege
The hook persists trait state into memory/persona-state.json and stages persona-inject.md each turn. While per-skill persistence is normal, the structural injection default plus autonomous invocation (platform default) gives the hook effective, ongoing influence over the agent's generation pipeline. Combined with autonomous invocation this increases blast radius if the hook is malicious or buggy.
Scan Findings in Context
[system-prompt-override] unexpected: The persona engine intentionally rewrites/injects generation directives into the agent prompt (structural injection). The pattern scanner flagged a system-prompt-override pattern — this is expected for a hook whose purpose is to change writing style, but it is a prompt-injection vector and should be treated cautiously.
What to consider before installing
This skill appears to implement a real 'living' persona system and does what it says, but it achieves that by writing files that you are asked to include in your agent's prompt (persona-inject.md and persona-state.json). Those files act as structural prompt overrides by default and can strongly alter model behavior. Before installing: 1) Review handler.ts for any calls to child_process, network, or arbitrary file execution (especially look for any run_spark/run subprocess calls). 2) Disable or do not include persona-inject.md in your system prompt if you want advisory-only behavior; change hook.json mode to "ambient". 3) Do not enable SPARK integration unless you inspect and trust the referenced SPARK project path. 4) Keep memory directory out of any templates that include secrets; avoid passing secrets into workspace memory files. 5) Consider testing in a sandbox agent with autonomous invocation disabled or limited to observe behavior. If you are not comfortable with code that can rewrite generation prompts, treat this as risky and prefer ambient/advisory mode or decline installation.
!
SKILL.md:37
Prompt-injection style instruction pattern detected.
About static analysis
These patterns were detected by automated regex scanning. They may be normal for skills that integrate with external APIs. Check the VirusTotal and OpenClaw results above for context-aware analysis.

Like a lobster shell, security has layers — review code before you run it.

latestvk9709xgkhk4fpnkcrznax39h7x83ftfe

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments