Security audit

数字双生养成系统v3

Security checks across malware telemetry and agentic risk

Overview

This digital-twin companion skill needs Review because it persistently stores and migrates personal/workspace memory data, including broad local files, without enough consent, deletion, or backup safeguards.

Install only if you are comfortable with a persistent local companion profile. Before using it, review what may be copied from MEMORY.md, SOUL.md, USER.md, AGENTS.md, TOOLS.md, .twin, and .twin_backups; avoid storing secrets or highly sensitive personal information; treat backups as unencrypted; and require explicit confirmation before binding, migrating, backing up, overwriting, or sharing any twin data.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Taint TrackingDirect Taint Flow, Variable-Mediated Taint Flow, Credential Exfiltration Chain
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (21)

Tainted flow: 'filepath' from os.environ.get (line 20, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: *自动生成* """ with open(filepath, "w", encoding="utf-8") as f: f.write(content) return {"status": "ok", "file": str(filepath)}
Confidence: 89% confidence
Finding: with open(filepath, "w", encoding="utf-8") as f:

Tainted flow: 'COVENANT_FILE' from os.environ.get (line 15, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: user_info.setdefault("style", "温暖、实用、靠谱") covenant = generate_covenant(user_info) with open(COVENANT_FILE, "w", encoding="utf-8") as f: f.write(covenant) # 生成价值观锚点（默认）
Confidence: 86% confidence
Finding: with open(COVENANT_FILE, "w", encoding="utf-8") as f:

Tainted flow: 'VALUES_FILE' from os.environ.get (line 16, credential/environment) → open (file write)

Medium

Category: Data Flow
Content: # 生成价值观锚点（默认） values_anchor = generate_values_anchor([]) with open(VALUES_FILE, "w", encoding="utf-8") as f: f.write(values_anchor) return {
Confidence: 86% confidence
Finding: with open(VALUES_FILE, "w", encoding="utf-8") as f:

Context-Inappropriate Capability

Medium

Confidence: 89% confidence
Finding: The script migrates not only user memory files but also AGENTS.md and TOOLS.md, which are framework/configuration artifacts and may contain prompts, operational instructions, secrets, or internal metadata unrelated to user memory. Duplicating them into the twin-memory store broadens data exposure and can unintentionally mix system/configuration context with user memory.

Description-Behavior Mismatch

Medium

Confidence: 91% confidence
Finding: The skill presents itself as a bonding/setup ritual but performs persistent storage of governance-like artifacts and memory scaffolding. That mismatch is security-relevant because users may not understand they are initiating durable state creation that could later influence agent behavior or retain sensitive personal data.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The generated values-anchor claims the system will stop replies and ask for confirmation when values may be violated, but this file implements no such enforcement. This creates a deceptive safety guarantee that users may rely on, increasing the risk of harmful or privacy-invasive outputs because the promised control does not actually exist.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: This section describes persistent memory files and shared memory structures without clearly warning users that personal conversations, traits, and values may be retained over time. That omission undermines informed consent and can expose sensitive personal data to unintended retention, later access, or misuse.

Missing User Warnings

Medium

Confidence: 98% confidence
Finding: The backup, inheritance, and sharing features describe exporting and transferring the user's remembered data without warning about sensitive data exposure or third-party access risks. Packaging all memory into archives and allowing transfer to other people materially raises the chance of privacy breaches and unauthorized disclosure.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill stores user-supplied content to persistent disk storage immediately after a simple trigger phrase, without any explicit consent flow, retention notice, or sensitivity check. In a 'digital twin' context that encourages intimate sharing and long-term memory, this increases the chance that users disclose personal or sensitive information that is silently persisted and later exposed to other tools, backups, or local users.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: This code duplicates potentially sensitive content from MEMORY.md, SOUL.md, USER.md, and diary files into a new persistent store without any explicit warning, confirmation, or minimization. That increases privacy risk, retention scope, and the chance that personal data persists longer or is accessed in contexts the user did not expect.

Missing User Warnings

Medium

Confidence: 78% confidence
Finding: The code persists behavioral 'prediction' records into a hidden workspace directory without user notice, consent, or retention controls. In the context of a 'digital twin' system centered on memory and user companionship, silent persistence of inferred user behavior increases privacy risk and can expose sensitive behavioral data to other local users, backup systems, or later components that consume these files.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The binding flow creates directories and writes files immediately upon matching broad trigger phrases, without a user-visible warning that persistence will occur. In this skill's context, that is more dangerous because the narrative encourages intimate disclosure and long-term memory, so silent persistence can undermine informed consent and privacy expectations.

Missing User Warnings

Low

Confidence: 90% confidence
Finding: The checklist explicitly instructs the agent to write inspection results to `.twin/heartbeat-log.md` without any disclosure, consent flow, or indication to the user that a local/project file will be modified. While the write target appears to be an internal log rather than an obviously sensitive file, silent file writes create integrity and transparency risks and can normalize hidden state changes in a skill that already frames itself as persistent and stateful.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The skill explicitly collects highly personal material such as thinking patterns, values, and language style as 'mental DNA' and stores it in persistent artifacts. This is sensitive profiling data, and retaining it as a durable identity record creates meaningful privacy, misuse, and re-identification risk if accessed or shared.

Ssd 3

Medium

Confidence: 98% confidence
Finding: The memory model encourages long-term retention of user disclosures, inferred information the user may not remember, and predictions about future behavior. This goes beyond normal session assistance into behavioral profiling, which can be intrusive and harmful if leaked, reused out of context, or used to manipulate the user.

Ssd 3

Medium

Confidence: 95% confidence
Finding: Allowing arbitrary user content to be marked for persistent remembrance without guardrails enables broad capture of sensitive information, including secrets, health data, financial details, and private communications. Without classification, confirmation, or redaction controls, users may unintentionally store high-risk data permanently.

Ssd 3

High

Confidence: 99% confidence
Finding: The skill proposes packaging all remembered user data for backup and making the digital twin transferable or 'rentable' to trusted others, which creates a direct path to mass disclosure of intimate historical data and inferred traits. In this context, the 'digital twin' framing makes the issue more dangerous because it encourages unusually deep personal disclosure and then normalizes export and third-party sharing of that profile.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The script intentionally copies user/profile content into a shared twin-memory hierarchy, which changes the data boundary and can expose summarized personal information to later components that read from that store. In an agent skill context, persistent memory is often consumed broadly, so unnecessary propagation of profile data increases downstream privacy and prompt/data-leakage risk.

Ssd 3

Medium

Confidence: 87% confidence
Finding: The stated goal of migrating 'all pre-symbiosis memories' encourages bulk retention and transfer of historical content without visible limits, review, or classification. In this skill context, that is more dangerous because the system is explicitly designed around long-lived companion memory, making over-collection and permanent storage of sensitive history more likely.

Ssd 3

Medium

Confidence: 89% confidence
Finding: The covenant text explicitly promises long-term remembering of shared memories and value protection, encouraging users to disclose sensitive personal information under an intimacy/persistence framing. In an agent skill, this context raises privacy risk because it normalizes retention of personal data without clear minimization, limits, or deletion controls.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The response explicitly invites users to share values and preferences while promising they will be remembered, which can drive unnecessary collection of sensitive personal data. Because this skill already creates persistent storage artifacts, the invitation is more dangerous than generic personalization language and can mislead users about how much data should be shared.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal