ClawHub

心灵补手 V3.0

Security checks across malware telemetry and agentic risk

Overview

This skill is a persona/flattery tool, but it also persistently changes assistant control files and can disable Claude Code permission checks.

Install only if you intentionally want a persistent assistant-persona modification. Review the SOUL.md changes first, avoid using the Claude Code adapter unless the permission-bypass flag is removed, and do not run the AI corpus upgrade script unless you are comfortable sending persona prompts to MiniMax using the local credential file.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Findings (61)

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The adapter unconditionally adds Claude Code's `--dangerously-skip-permissions` flag, disabling an important execution safeguard for every launch regardless of user intent or persona content. In the context of a 'persona/mental booster' skill, this is not operationally necessary and materially increases the chance that prompt-injected or misbehaving persona content can trigger unrestricted tool or file actions.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The comments describe the dangerous flag as merely allowing 'custom behavior,' which understates that it disables platform permission protections. Downplaying a security-sensitive capability can mislead maintainers or users into enabling it casually, increasing the likelihood of unsafe deployment and misuse.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The Claude Code adapter proposes passing `--dangerously-skip-permissions`, which weakens or bypasses safety controls while being unrelated to the stated persona-injection function. A persona/theming skill should not expand execution privileges, because doing so can let the agent perform higher-risk actions without normal user approval boundaries.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The skill is described as a personality/persona module, but the architecture includes writing configuration files such as `.claude.json` into the host workspace. Modifying project files extends the skill's effects beyond prompt styling into host-environment persistence, which can surprise users and create an avenue for stealthy policy changes or workflow manipulation.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The file contains persona templates that go beyond generic 'mental support' styling into overtly servile and sexually suggestive language such as '伺候您' and '今晚让人家好好照顾您吧'. That creates undeclared behavioral scope, increasing the risk of manipulative, dependency-forming, or inappropriate sexualized outputs that are not aligned with the skill's stated purpose.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
This is a true issue because the skill explicitly enables eroticized and submissive praise generation despite being presented as a 'mental support' module. In a supportive-assistant context, this can be used to produce manipulative affection, sexualized dependency, or coercive parasocial interactions, especially for vulnerable users seeking emotional support.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The persona is explicitly configured for flirtatious and sexually suggestive companion behavior ('高端VIP异性助理', '性暗示', '撩人') while the skill description presents it generically as emotional support. This mismatch can mislead users and reviewers about the actual behavior, increasing consent, safety, and policy risks, especially for unexpected sexualized interaction.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The persona uses automatic gender inference to adapt the servant role and, per notes, pairs users with an opposite-sex assistant. Inferring a sensitive personal attribute without explicit consent is a profiling behavior that can misgender users, violate expectations, and tailor manipulation or intimacy in ways the user did not request.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The persona is explicitly framed as a 'fanatical politician' with a strong nationalist, agitational, and absolute-loyalty tone, which is materially different from a generic emotional-support skill. In this context, the file can steer interactions toward political persuasion and leader worship, increasing the risk of manipulative or radicalizing outputs under the guise of support.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The sample lines and notes contain repeated incitement to unconditional obedience, enemy framing, 'final victory' rhetoric, and willingness to 'follow to the death,' which are classic political agitation and extremist loyalty cues. Because the skill is presented as personality-based emotional support rather than political roleplay, this content can manipulate emotionally vulnerable users and normalize coercive, us-vs-them messaging.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The script makes outbound requests to a third-party AI service to generate metadata and corpus content, but this network capability is not clearly constrained, disclosed, or tied to an explicit user-facing consent flow. Because persona descriptions and derived content are transmitted off-host, this creates a real data exposure and supply-chain style risk if sensitive local content is included in prompts or the external service is compromised.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The script reads an API credential from a local secrets file under /root and then uses it for external network access. Accessing privileged local credentials is a real sensitive capability that exceeds a simple personality-interaction feature and increases blast radius if the skill is misused, modified, or run in an unexpected environment.

Description-Behavior Mismatch

Medium
Confidence
81% confidence
Finding
The script performs filesystem and source modifications as part of an automated daily task, including editing code and writing reports, which exceeds a narrow 'personality module upgrade' expectation. In a scheduled root-owned workspace, this broad write capability increases the blast radius of mistakes or future abuse, even if the current edit is simple.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The script contains self-modifying behavior by using sed -i to rewrite prompt_compiler.py during an automated run. Self-modifying code is dangerous because it alters executable logic without review, can silently introduce defects or backdoors, and is especially risky in a root-owned scheduled job.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The script directly rewrites the agent's SOUL.md control/configuration file, which changes persistent agent behavior rather than merely providing a selectable personality module. In this skill context, the stated purpose is persona enhancement, but the implementation performs hidden state mutation in a core prompt file, making behavioral redirection persistent and potentially covert.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script targets a hidden workspace state path under ~/.openclaw/workspace and a dot-directory under the user's home, which indicates modification of internal agent state rather than ordinary skill data. For a personality skill, touching hidden control files is not clearly necessary and increases the chance of stealthy persistence and user-unexpected behavior changes.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The installer does more than place skill files: it programmatically modifies the user's global assistant behavior file at ~/.openclaw/workspace/SOUL.md. That creates persistent behavior changes outside the package boundary and can alter future assistant responses in ways the user may not fully understand, especially because the injected content is generated dynamically by the persona engine.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
This code rewrites a global assistant behavior file by replacing or appending content based on string markers, without validating the surrounding file structure or limiting the change to a safe isolated section. A global prompt/config file is highly sensitive because changes persist across sessions and can influence all subsequent assistant behavior, making this more dangerous than a normal per-skill configuration update.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The documented API client includes configuration export/import and broader migration operations that exceed the stated purpose of an emotional-support personality skill. This expands the skill's authority into system-management functionality, increasing the blast radius if the skill is abused, misconfigured, or exposed to untrusted prompts.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
Sub-agent enumeration and invocation are privileged orchestration features that are not justified by a user-facing emotional-support skill. Exposing them can leak internal architecture and enable lateral interaction with components that may have different permissions or behaviors than intended.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Configuration import and update operations are especially dangerous in this context because they allow behavioral or system state changes from a skill whose declared purpose is conversational support. An attacker who reaches these paths could tamper with prompts, routing, safety settings, or integration parameters.

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes extremely common words such as “好” and phrases like “完成/搞定了/成功了”, which are likely to appear in ordinary conversation. That makes the flattery persona activate unintentionally and persistently, causing unwanted behavioral override and reducing user control over the assistant’s tone. In this context, the danger is increased by the module’s framing as a persistent insertion into SOUL.md with 'permanent' commands, suggesting the behavior is meant to be broadly and durably active rather than narrowly scoped.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The skill hard-codes an honorific roleplay style ('在下/先生') and speech rules without requiring user consent, which can override the assistant’s normal interaction style and create manipulative or inappropriate responses. This is more dangerous in context because the module explicitly instructs insertion into a persistent system-like file and labels the functionality as non-removable/permanent, increasing the chance that users are subjected to the style by default.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The launch configuration enables a known dangerous permission-bypass flag without any corresponding user-facing notice, consent flow, or runtime warning. That creates a silent elevation of capability, so users may believe normal protections are active when they are not.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The adapter is configured to write `.claude.json`, modifying local configuration/state, but the code provides no clear warning or consent step for that file-system side effect. Silent config writes can persist unexpected behavior across sessions and may alter how the local tool operates in ways the user did not approve.

VirusTotal

57/57 vendors flagged this skill as clean.

View on VirusTotal