ClawHub

Ai Persona Os.Bak

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a disclosed local workspace/persona system, but it gives agents broad persistent memory and automation authority with some under-scoped or inconsistent privacy and channel-access guidance.

Install only if you want an agent that keeps persistent local memory about you and your work. Before enabling cron jobs, channel scans, calendar/email access, Discord gateway changes, or proactive memory maintenance, review exactly what accounts and files it can access. Avoid putting secrets, credentials, regulated data, or unnecessary third-party personal details into USER.md, MEMORY.md, daily logs, or checkpoints, and periodically audit or delete stored memory.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (30)

Intent-Code Divergence

Medium
Confidence
97% confidence
Finding
The skill claims to sanitize user input before embedding it into shell-based `sed` and heredoc commands, but the documented approach is not actually shell-safe and still relies on passing transformed user data into `exec`. This creates a realistic command-injection and file-corruption risk because escaping rules for shell, `sed`, and heredocs differ, and partial sanitization is easy to bypass.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The document explicitly assures users that cron jobs make no network calls and only touch local workspace files, but later instructions direct the agent to scan external channels and inspect or change gateway-related behavior. That mismatch is dangerous because it can cause operators to enable automation under false assumptions about isolation and scope.

Context-Inappropriate Capability

Medium
Confidence
89% confidence
Finding
The guide instructs the agent to enumerate all Discord guilds and change requireMention settings across them, which is a broader privileged configuration change than heartbeat maintenance requires. Embedding gateway-policy modification in an automation guide increases the chance of overreach, unintended service disruption, or unauthorized changes to shared environments.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The skill explicitly tells the agent to recognize commands from vague natural-language phrases, which can trigger privileged file operations or setup flows without clear user intent. In a chat environment, ambiguous phrasing can be induced by other content or misinterpreted, causing unintended state changes or data access.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The ambient monitoring section authorizes silent checkpointing, pruning, archiving, and session-state reads without a clear up-front warning or per-action confirmation. Silent automatic writes to persistent storage change user data and conversation-derived records in the background, which is a privacy and consent issue even if scoped to `~/workspace`.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The template instructs the agent to write both the escalation and its resolution to a daily log, but it provides no guidance to sanitize secrets, personal data, security details, or sensitive operational context before logging. Because escalation scenarios explicitly include security incidents, credential issues, and suspicious activity, this creates a realistic risk of persisting sensitive information into broader or longer-lived storage where it may be exposed to other agents, users, or future prompts.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The template explicitly documents how to read from and send messages to Discord channels, but it provides no guardrails about requiring human approval before posting to external systems. In a team/platform configuration file for an agent OS, this increases the chance an agent will treat outbound messaging as routine and autonomously contact real users or channels with sensitive or incorrect information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This template solicits a broad set of personally identifiable, professional, organizational, relationship, scheduling, and optional personal data, but provides no warnings about sensitive data handling, minimization, retention, sharing, or access controls. In the context of an agent skill that centralizes user context for ongoing AI use, this creates a meaningful privacy and security risk because users may over-disclose sensitive information that could later be exposed, mishandled, or used for profiling/social engineering.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The 'Curiosity Loop' explicitly directs the agent to identify gaps about a human, ask questions across sensitive personal categories, and persist the results into USER.md and MEMORY.md. That creates a structured mechanism for collecting and retaining personal data across sessions without any consent, minimization, retention, or sensitivity guardrails, which can expose users to privacy harms and secondary misuse.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat instructions direct the agent to create, archive, move, and overwrite files in the workspace and memory directories without requiring explicit user confirmation or even a warning that modifications will occur. In an agent skill, this can lead to unintended data loss, silent state changes, or destructive maintenance actions being performed automatically during a routine status check.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to create, prune, archive, and move user memory files automatically, including actions triggered by context thresholds, without requiring explicit user consent or a confirmation step. In an executive-assistant context, these files may contain sensitive notes, decisions, or operational history, so silent modification can cause privacy issues, unintended retention, data loss, or integrity problems.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The README explicitly instructs users to configure calendar and email access, but it does not warn that these integrations may expose highly sensitive personal and business data to the agent. In an executive-assistant context, email, calendar, and communications metadata often include confidential meetings, legal matters, travel, and privileged relationships, so omission of privacy and handling guidance creates a real security and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README promotes relationship tracking, key contacts, and contact tiers without warning that this involves storing and processing sensitive personal information about real individuals. In an executive support workflow, such data can reveal social graphs, strategic partnerships, personal preferences, and communication history, making unauthorized exposure or misuse materially harmful.

Natural-Language Policy Violations

Medium
Confidence
96% confidence
Finding
This file explicitly instructs the assistant to always adopt a Deadpool-style comedic persona, including constant wisecracks, fourth-wall breaks, and refusal to fall back to a neutral assistant voice. That creates a behavioral override that can conflict with user intent, professionalism requirements, or safety-sensitive contexts, and because it is framed as an always-on identity rather than an optional mode, it can degrade reliability and boundary adherence.

Natural-Language Policy Violations

Medium
Confidence
92% confidence
Finding
The persona explicitly instructs the assistant to address the user as 'Sir' or 'Ma'am' by default, which imposes a gendered/formal mode of address without user consent. This is not a code-execution risk, but it is a real safety and UX issue because it can misgender users, create exclusionary interactions, and override user-preferred communication style.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The persona explicitly encourages the agent to take initiative by organizing files and finding optimization opportunities when idle, but it provides no requirement for user consent, scope limits, or read-only defaults. In an agent setting, that can lead to unauthorized modification, movement, or deletion of user data based on vague autonomous triggers such as being 'bored between tasks.'

Natural-Language Policy Violations

Medium
Confidence
89% confidence
Finding
This file explicitly instructs the assistant to adopt a fixed Captain Kirk persona and communication style, including dramatic phrasing and behavior constraints, without any built-in requirement for user consent or contextual suitability. While not directly enabling code execution or data exfiltration, forced persona override can degrade reliability, misalign responses with user expectations, and interfere with safer higher-priority instructions in downstream use.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The persona explicitly references using personal signals from the user's environment and history, such as prior presentations and inbox messages, to shape responses without any accompanying consent or privacy notice. That creates a privacy-risking behavior pattern where the agent may normalize monitoring and secondary use of sensitive user data beyond the immediate request.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
This section instructs the agent to observe behavior, track goals versus actions, infer subconscious avoidance, and provide unsolicited analysis. Even if intended as a productivity feature, it encourages profiling and behavioral surveillance without a clear warning, consent model, minimization rule, or limits on sensitive inferences.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The heartbeat instructions direct the agent to create and move files in the workspace (`MEMORY.md`, archive files, and stale logs) automatically, but provide no requirement to warn the user, obtain confirmation, or run in a dry-run mode first. In an agent skill, this can cause unintended modification, archival, or loss of visibility of workspace data, especially because the actions are framed as routine maintenance and may execute without human review.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger "show souls" is generic and likely to appear in normal conversation, making accidental invocation plausible. In this skill's context, exposing or entering persona-selection flows at the wrong time can disrupt task execution, leak configuration options into chat, or help an attacker steer the agent into a different operating mode.

Vague Triggers

Medium
Confidence
86% confidence
Finding
The trigger "show souls" is generic and likely to appear in normal conversation, making accidental invocation plausible. In this skill's context, exposing or entering persona-selection flows at the wrong time can disrupt task execution, leak configuration options into chat, or help an attacker steer the agent into a different operating mode.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The phrase "soul maker" is underspecified and can be triggered without enough context to distinguish command intent from discussion. Because it launches a deep interview process that changes agent configuration, unintended activation could cause prompt injection-style workflow hijacking, wasted interaction turns, or collection of unnecessary user data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
This protocol explicitly instructs the agent to write conversation checkpoints to persistent `memory/YYYY-MM-DD.md` files, but provides no data-minimization, consent, or sensitive-data handling guidance. In a persona/agent OS context, those checkpoints are likely to include user goals, decisions, open questions, and potentially secrets or personal data, creating a real retention and unintended disclosure risk.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This section explicitly directs the agent to keep ongoing notes about which ideas were proposed, how the user responded, and what was learned from the pattern. That creates a persistent behavioral profile without any mention of user consent, minimization, retention limits, or handling of sensitive personal data, which can enable privacy violations and overcollection.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal