Security audit

superSoul

Security checks across malware telemetry and agentic risk

Overview

This skill is not exfiltrating data, but it persistently builds sensitive psychological and emotional profiles with broad automatic use and few user controls.

Install only if you intentionally want a local assistant component to keep a long-term psychological and emotional profile of users. Before use, decide who can access ~/.openclaw/data/herHug, whether raw message content should be saved, how users can opt in or delete data, and whether proactive care/intimacy features are appropriate for your deployment.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection

Findings (23)

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: The skill reads workspace-level files such as IDENTITY.md, USER.md, and interaction-preferences.json to bootstrap a psychological profile, then persists derived traits locally. This exceeds the apparent needs of a scoring engine and creates cross-context sensitive data access and profiling without clear necessity or consent, increasing privacy and misuse risk.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The comment claims intimacy only affects response style and does not limit data collection, but the code ties intimacy stages to progressively more proactive, predictive, and deeper engagement behaviors. This mismatch is dangerous because it obscures how relationship-state inference changes system behavior and may manipulate users into greater disclosure.

Intent-Code Divergence

Medium

Confidence: 86% confidence
Finding: The code states personality data is collected regardless of intimacy, then reuses personality and attachment inferences to alter tone, depth, reassurance, and pursuit behavior. Using sensitive psychological inferences to steer interaction can be manipulative and is especially risky when the user is not clearly informed that inferred traits will shape system behavior.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The intimacy system implements escalating stages up to 'soulmate' and explicitly enables proactive care and predicted-needs behavior. In the context of a psychological scoring engine, this is broader than necessary functionality and creates a clear risk of emotional manipulation, overcollection, and blurred boundaries with vulnerable users.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README explicitly documents long-term storage of highly sensitive psychological inferences, emotional events, intimacy data, and interaction preferences, but provides no consent flow, retention limits, or privacy safeguards. In a skill whose purpose is to profile users over time, this materially increases the risk of non-consensual surveillance, secondary use of sensitive data, and exposure if local files are accessed by other components or an attacker.

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The README states that the skill automatically reads identity and preference files to build an initial psychological profile, without clearly warning the user or requiring opt-in. Accessing unrelated workspace files to infer traits expands collection beyond direct user input and can expose sensitive personal information that the user did not expect to be mined for profiling.

Missing User Warnings

Medium

Confidence: 92% confidence
Finding: The skill explicitly describes storing highly sensitive psychological and emotional user data over time, but provides no privacy notice, consent flow, retention policy, access controls, or warning about user impact. Because this data can reveal mental state, personality traits, and coping patterns, undocumented persistent storage materially increases privacy and safety risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The documentation explicitly describes long-term storage of highly sensitive psychological data, including raw scores, current state, personality profiles, emotion triggers, and confidence reports, but does not document informed consent, retention limits, access controls, encryption, or deletion safeguards. Because this skill centers on intimate psychological profiling, local storage alone does not adequately reduce risk: compromise of the host, backups, logs, or shared accounts could expose deeply personal data.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The guide recommends automatic profiling before and after every conversation and encourages proactive emotional follow-up, which amounts to ongoing behavioral monitoring of users' emotional and psychological state. Without a clear warning, consent flow, and boundaries on use, this can silently normalize surveillance-like collection of sensitive inferred data and increase the chance of manipulative or overly intimate system behavior.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The skill performs sensitive psychological profiling and writes persistent local records without any visible user-facing notice, consent flow, or disclosure mechanism in code. Silent collection and storage of inferred mental-state and personality data materially increases privacy, trust, and regulatory risk.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The skill stores active memories and schedules follow-up actions based on emotional content such as sadness, anger, fear, stress, and late-night vulnerability. Persisting and acting on emotional-state inferences without a visible warning or opt-in is dangerous because it creates hidden surveillance-like behavior around sensitive mental-health signals.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The manifest exposes multiple sensitive psychological profiling actions such as saving scores, retrieving current psychological state, and generating response-style guidance, but it provides no invocation constraints, consent requirements, role restrictions, or data-handling boundaries. In a skill explicitly designed to infer personality, emotion, relationship state, and coping patterns, this broadness increases the risk of unauthorized profiling, over-collection, and misuse of highly sensitive mental-health-adjacent data.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill explicitly describes tracking users' emotional triggers over time, storing occurrence counts, intensity, timestamps, and using that history for proactive outreach. This is sensitive psychological profiling, and the document provides no notice, consent, retention limits, or safeguards, which creates a meaningful privacy and misuse risk if deployed.

Ssd 3

Medium

Confidence: 93% confidence
Finding: The README describes recording user scoring data to build a continuous profile over time, which is a sensitive data-retention design for psychological attributes. Continuous profiling magnifies harm because it enables longitudinal inference about mental state, preferences, and vulnerabilities, even if each individual interaction seems low risk.

Ssd 3

Medium

Confidence: 97% confidence
Finding: The example code stores raw userInput alongside structured psychological scores, implying full message retention for later analysis. Retaining verbatim conversations substantially increases sensitivity because private disclosures, credentials, health details, or other secrets may be captured and preserved beyond the original interaction.

Ssd 3

Medium

Confidence: 91% confidence
Finding: The workflow instructs the AI to load a complete user profile before every conversation and update it after each interaction, enabling pervasive reuse of sensitive personal data across contexts. This increases the chance of over-collection, unintended behavioral shaping, privacy leakage into responses, and broad blast radius if the stored state is compromised.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The startup behavior harvests multiple local identity and preference files to infer psychological traits, which is a semantic data-collection path beyond direct conversational input. In the context of a psychological scoring engine, this is especially dangerous because it turns general workspace documents into sources for sensitive profiling without clear boundaries or consent.

Ssd 3

Medium

Confidence: 90% confidence
Finding: The skill is designed to persistently collect psychological scores and user state, then use them to shape future model replies. This creates a lasting behavioral profile of the user, which can enable sensitive inference, manipulation, accidental disclosure, and harm if the data is mishandled or reused outside user expectations.

Ssd 3

High

Confidence: 96% confidence
Finding: The examples instruct saving raw user input along with structured psychological assessments and maintaining per-user records over time. Storing raw text plus inferred mental-state data substantially increases sensitivity and re-identification risk, and the context makes it more dangerous because the skill's core purpose is long-term psychological profiling rather than transient processing.

Ssd 3

Medium

Confidence: 96% confidence
Finding: The example instructs callers to save the full user input content after each conversation together with emotional and personality inferences. Retaining raw natural-language conversations alongside psychological scoring materially increases the sensitivity of the dataset and creates a larger breach surface, since raw text can contain secrets, health details, trauma disclosures, identifiers, and other regulated personal information.

Ssd 3

Medium

Confidence: 94% confidence
Finding: The workflow institutionalizes post-conversation analysis and saving of user input after every dialogue, making persistent capture of sensitive psychological and conversational data the standard operating mode. In this skill's context, the danger is elevated because the retained data is not generic telemetry but intimate inferred mental-state information that could be misused, leaked, or over-relied upon by downstream agents.

Ssd 3

High

Confidence: 98% confidence
Finding: The skill persistently collects user disclosures and psychological inferences, updates confidence reports, and even recommends naturally guiding conversation to gather more data. This is dangerous because it turns sensitive interactions into a long-term profiling pipeline that can amplify privacy harm and manipulative personalization.

Ssd 4

High

Confidence: 97% confidence
Finding: The skill defines and persists a staged intimacy narrative that escalates from stranger to soulmate and uses it to deepen engagement over time. In a psychology-oriented agent, this is particularly dangerous because it can foster dependency, normalize invasive adaptation, and exploit emotionally sensitive users under the guise of care.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.