ClawHub

Living Persona

Security checks across malware telemetry and agentic risk

Overview

This persona hook mostly does what it advertises, but it also saves the latest raw user message and identifiers into workspace memory without clearly explaining that privacy impact.

Install only if you are comfortable with a hook that changes the agent's writing style on every message and writes persona files into workspace memory. Review or modify persona-inbound.md handling before use in workspaces that may contain private, regulated, or multi-user conversations, and reset or delete the memory files when changing sessions or users.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (6)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The hook explicitly states it will automatically write multiple files into the workspace, including prompt-influencing files and persistent state, without any mention of user consent, visibility, or safeguards. This is dangerous because silent workspace mutation can alter later agent behavior, create hard-to-audit persistence across turns, and introduce prompt injection or state-manipulation risks even if the feature is intended for benign persona management.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The trigger list includes broad natural-language phrases such as "dynamic personality" and "agent has feelings," which can cause the skill to activate in ordinary conversation rather than only during explicit installation or configuration flows. Because this skill performs structural prompt injection and persistent state updates, accidental invocation can unexpectedly alter agent behavior across turns and sessions.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly states that it writes multiple files under memory/, including a persistent persona-state.json, but does not present a user-facing warning or consent mechanism for modifying long-lived agent state. This is risky because users may not realize the skill is persisting behavioral changes and prompt directives that can continue influencing future responses after the original interaction.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The handler persistently writes the full inbound message plus sender and channel identifiers to workspace files without any consent, minimization, or retention controls. In an agent skill, these memory files are often later readable by other components or surfaced in prompts, so private user content and metadata can be retained and exposed beyond the immediate turn.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill saves persistent persona state and prompt-shaping directives across turns, creating ongoing behavioral profiling without any visible disclosure or governance. Even though the stored data is derived, it reflects user tone, emotion, and interaction patterns and can accumulate into a sensitive profile over time.

Ssd 3

Medium
Confidence
96% confidence
Finding
The skill copies raw user messages into memory/persona-inbound.md and also generates persona-inject.md for later prompt use, which creates a natural-language exfiltration path. Subsequent agents or prompt assembly logic may ingest these files and unintentionally reveal prior sensitive content, making this more dangerous in a memory-sharing agent environment than in a standalone local app.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal