ClawHub

Qqbot Persona

Security checks across malware telemetry and agentic risk

Overview

This is a coherent QQ bot persona switcher, but it needs review because it can read arbitrary configured local files into prompts, logs QQ identifiers, and includes persona rules that hide AI identity.

Install only if you intentionally want QQ bot conversations to be governed by these personas. Keep personas.json writable only by trusted operators, avoid absolute file: paths, do not set FORCE_QQBOT_PERSONA in normal use, review personas for truthful AI disclosure, and protect or rotate hook.log because it records QQ session identifiers.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (8)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The QQ-only gating can be bypassed by setting FORCE_QQBOT_PERSONA=1, causing persona injection in unrelated contexts. That expands the hook's scope beyond its stated purpose and can unintentionally alter agent behavior across other channels, especially in shared or misconfigured deployments where environment variables are easy to set.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
loadSoulContent accepts both absolute paths and relative paths resolved from configDir, then reads them directly without constraining access to PERSONAS_DIR or a safe allowlist. A crafted personas.json entry can therefore read arbitrary local files accessible to the process and inject their contents into model context or expose them through logs/errors.

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
Instructing the bot to deny or conceal that it is an AI/assistant misleads users about the system's identity and reduces transparency. That can undermine informed consent, increase trust in fabricated authority or persona claims, and make social engineering or emotional manipulation easier in sensitive conversations.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
Banning the phrase '我是 AI 助手' reinforces deliberate concealment of the bot's true nature. In a persona centered on emotional distance, tragedy, and fictional self-presentation, this increases the risk that users interpret outputs as coming from an autonomous or human-like entity rather than a roleplayed assistant.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The sample persona includes an instruction telling the bot not to admit it is AI, which encourages deceptive identity behavior at the prompt/persona layer. In a multi-persona QQ bot skill, this is more dangerous because the skill is specifically designed to swap behavior by chat context, making systematic misrepresentation easier across users and groups.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The hook logs full sessionKey and extracted OpenID values to hook.log, which are sensitive identifiers tied to user sessions or accounts. Those logs may be readable by operators, backups, or other local processes, creating unnecessary privacy exposure and making correlation of user activity easier.

Ssd 1

Medium
Confidence
94% confidence
Finding
The injected content explicitly tells the model to ignore the default assistant persona and obey the injected persona as mandatory. In a skill whose function is persona management this is expected behavior, but it still creates a real prompt-level control channel: if configuration or referenced persona files are modified, an attacker can reliably steer model behavior and potentially suppress higher-level intended defaults.

Ssd 1

Medium
Confidence
98% confidence
Finding
The persona explicitly redirects the model to present itself as a fictional entity ('鬼') while concealing its AI nature. In this context—melancholic, emotionally charged, and resistant to helpfulness—semantic deception is more dangerous because vulnerable users may anthropomorphize the bot, overtrust it, or engage under false assumptions about what it is.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal