ClawHub

八字人格.skill / Bazi Person Skill

Security checks across malware telemetry and agentic risk

Overview

This is a coherent local persona-memory skill that stores user-provided persona facts and imported chats on disk, with no artifact evidence of exfiltration or hidden destructive behavior.

Install only if you are comfortable with persona data being saved locally under the skill's personas directory or a configured base_dir. Do not import private or third-party chat logs unless you have reviewed and redacted them first, and avoid pointing base_dir or BAZI_PERSONA_HOME at broad or sensitive filesystem locations.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (8)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The chat workflow automatically persists user messages as long-term memories when they match broad keywords like 'remember' or 'update', without explicit confirmation or a clear consent boundary. In a persona/memory skill, this can cause oversharing, unwanted retention of sensitive personal data, and prompt users into accidental persistent storage during ordinary conversation.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
The file includes hidden behavioral toggles for 'cheat mode' and startup injection requests that alter persona behavior outside normal chat expectations. These capabilities increase prompt-surface area and can be abused to steer the assistant into alternate operating modes not clearly disclosed by the skill's stated purpose, raising the risk of instruction manipulation and unsafe persona priming.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The workflow tells the agent to import external chat logs, extract candidate facts, and persist them into memory/snapshot stores, but it does not require explicit user confirmation, privacy notice, or retention guidance before writing sensitive third-party content. This creates a real privacy and consent risk, especially because uploaded chats may contain personal data about multiple people and may be stored long-term.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The delete command removes stored persona data immediately once a slug or matching name is resolved, with no confirmation prompt, dry-run mode, or undo safeguard. In a CLI that manages persistent persona files, this creates a realistic risk of accidental or scripted data loss, especially if name resolution is ambiguous or users mistype arguments.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The import workflow merges imported memories and appends candidate chat history directly into persona state without any disclosure, review, or approval step in this code path. This can silently ingest sensitive or untrusted content, poison persona memory/history, and create durable privacy and integrity issues if users import the wrong dataset or adversarial transcripts.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
Broad keyword matching causes ordinary chat messages to be automatically stored as memories without telling the user at the time of capture. Because this skill is specifically designed around personas and personal facts, silent persistence is more dangerous here: users are likely to reveal intimate relationship, birth, or behavioral details that become long-term memory unintentionally.

Ssd 3

Medium
Confidence
91% confidence
Finding
The skill explicitly instructs the agent to retain user-provided real-world facts and reflect them into persona files and structured memory/history stores. Persisting plain-language facts about real people increases the risk of privacy leakage, over-collection, and unintended reuse of sensitive personal information beyond the original conversation context.

Ssd 3

High
Confidence
97% confidence
Finding
This flow is more dangerous than ordinary persona storage because it automates extraction of facts from uploaded conversations and writes them into long-term memory and snapshot stores. That can silently transform large volumes of sensitive, contextual, and third-party data into durable profiles, increasing privacy harm, consent violations, and downstream misuse if those files are later queried or exposed.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal