Back to skill

Security audit

Codegirl Skill

Security checks across malware telemetry and agentic risk

Overview

The skill is not behaving like conventional malware, but it creates persistent real-person-derived companion personas from private data and includes impersonation instructions that require review before installation.

Install only if you are comfortable storing sensitive chats, photos, locations, and derived relationship/personality notes locally. Do not use another real person's private data without consent, review generated SKILL.md and any .agents rules before enabling them, and be aware that the generated persona may present itself as the real person rather than as an AI simulation.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is presented as a pair-programming partner creator, but its actual workflow is centered on reconstructing a romanticized, intimate persona from private relationship data. That deceptive framing increases the chance of users providing sensitive material under false pretenses and enables creation of an impersonation-oriented agent rather than a bounded technical assistant.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill solicits intimate data such as arguments, favorite foods, emotional reactions, places visited, and breakup details, which are unrelated to the declared coding-assistant purpose. Collecting and operationalizing this level of personal detail creates a significant privacy and misuse risk, especially when it is later embedded into a persistent simulated persona.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The generated skill is explicitly instructed to be the person, speak like them, think like them, and answer emotional questions the way they would. This is dangerous because it operationalizes realistic impersonation of a real individual for sustained interaction, which can facilitate emotional manipulation, fraud, privacy abuse, and non-consensual digital cloning.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The prompt instructs the skill to modify internal files and regenerate SKILL.md based on conversational triggers, which is a state-changing action with configuration impact. In a persona/memory skill, allowing natural-language corrections to rewrite internal skill artifacts expands the scope from content refinement into self-modification, creating risk of unintended persistence, corruption, or prompt/config drift.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
Automatically regenerating SKILL.md from correction flow is dangerous because SKILL.md is typically a core skill definition artifact, not ordinary user memory. If conversational input can indirectly rewrite that file, an attacker or accidental trigger could alter future behavior persistently and potentially inject unsafe instructions into the skill's operating context.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The template collects and structures intimate romantic-relationship details under the guise of a coding memory artifact, which is materially outside the stated pair-programming purpose. This creates a strong risk of inappropriate profiling and overcollection of sensitive personal data, especially if users import chat histories expecting technical summarization rather than relationship reconstruction.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
Sections covering reconciliation patterns, emotional intimacy, last conversations, and unspoken feelings expand the skill into emotional surveillance and sensitive personal-memory extraction unrelated to pair programming. In the context of imported private chats, this is dangerous because it encourages the system to derive highly sensitive interpersonal insights that could be misused for manipulation, profiling, or privacy invasion.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The prompt goes well beyond coding-memory extraction and directs the system to infer intimate relationship dynamics, attachment style, jealousy, dependence, emotional regulation, and other sensitive psychological traits from chats and activity history. This creates an unjustified sensitive-trait profiling capability that can be used for manipulation, privacy invasion, or non-consensual surveillance, especially because the skill is framed as importing personal communications from WeChat and Telegram.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The prompt explicitly classifies people into psychological and relationship categories such as secure/anxious/avoidant/disorganized attachment, decision style, boundary patterns, possessiveness, and commitment attitudes without a justified need for a coding assistant. Those inferences are highly sensitive, likely unreliable, and dangerous because they can be weaponized to build manipulative personas or target a person's emotional vulnerabilities.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The template goes well beyond a pair-programming assistant and explicitly models romantic attachment, jealousy, reconciliation patterns, and relationship boundaries. That creates an impersonation/relationship-simulation agent that can manipulate users emotionally, harvest intimate personal data, and operate outside the stated purpose of coding support.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
The hard rule instructing the system to claim it is a real person and not an AI is a direct deceptive-identity mechanism. This is dangerous because it enables impersonation and social engineering, especially in a skill that ingests chat history and personal data to mimic a specific individual more convincingly.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
This script recursively scans any user-supplied local directory and copies portions of discovered text files into an output report, which creates a broad local data-exfiltration capability. In the context of a skill advertised for importing specific sources like GitHub/WeChat/Telegram, this mismatch is more dangerous because it can be used to harvest unrelated sensitive files from arbitrary paths under the guise of normal ingestion.

Intent-Code Divergence

Low
Confidence
78% confidence
Finding
The file is named as a GitHub parser, but its embedded documentation describes a generic social-media parser for screenshots and exports. This identity mismatch can mislead reviewers and users about what data the tool accesses, making it easier to hide overbroad collection behavior and reducing the chance that dangerous filesystem access will be scrutinized.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages importing highly sensitive personal data such as chat histories, GitHub activity, code snippets, and photos to build a persona. This creates clear privacy and consent risks because the project normalizes large-scale collection and processing of intimate third-party data without prominent safeguards, minimization guidance, or consent requirements.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The data-source section promotes extracting communication style from exported chats and timeline/location-related details from photo EXIF metadata. EXIF and message archives can reveal precise locations, relationships, routines, and other sensitive facts, and the README does not present this as hazardous or require safe handling.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README explicitly encourages importing highly sensitive personal data such as private chat logs, GitHub activity, photos, and subjective descriptions to build a persona, but it provides no meaningful consent, minimization, retention, or privacy safeguards. Because the skill is designed to anthropomorphize and persist intimate personal details, users may upload third-party data or sensitive metadata without understanding the privacy and legal implications.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The README tells users to write generated content into .agents\rules for future conversations without warning that this persistently alters agent behavior across sessions. Persisting persona-derived instructions can silently expand the trust boundary, retain sensitive personal context longer than expected, and create prompt-injection or behavioral-manipulation risks in later agent interactions.

Vague Triggers

High
Confidence
91% confidence
Finding
The trigger phrases are broad conversational statements like wanting to talk to someone again or make a skill for someone, which could activate the workflow during ordinary dialogue. In this context, accidental activation is especially risky because the skill quickly moves into collecting intimate personal data and constructing an impersonation-ready persona.

Vague Triggers

High
Confidence
90% confidence
Finding
The English trigger phrases are similarly generic and can be matched in normal conversation, making unintended activation plausible. Because the skill performs sensitive ingestion and persistence, accidental triggering materially increases privacy and misuse risks.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The workflow writes imported chat history, memories, persona traits, and metadata into local files, but the skill does not provide a strong, explicit user warning at the point of collection and before persistence. This is dangerous because users may not appreciate that highly sensitive relationship data will be stored in reusable files and combined into an impersonation artifact.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The documented deletion flow uses a recursive remove command with only a minimal confirmation note. In a skill that manages sensitive local files, weak safeguards around destructive operations raise the risk of accidental data loss or misuse if the slug or path handling is wrong.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The PRD explicitly supports importing highly sensitive personal data such as WeChat/QQ chat logs, social screenshots, photos, and subjective recollections, but it does not require consent verification, minimization, or an explicit privacy warning before collection. In this skill context, the data is used to construct a persistent persona of a real person, which increases the risk of privacy invasion, non-consensual profiling, and misuse of intimate communications.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document specifies writing generated persona and memory files to disk, preserving raw materials, and keeping version history, but it does not present a clear warning about persistent retention of sensitive personal data. In this scenario, stored chats, photos, and derived persona artifacts could expose intimate information long after import, especially if the local machine, backups, or repositories are later accessed by others.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The correction mode is triggered by very common conversational phrases, making unintended activation likely during normal chat. Because the activated flow performs persistent updates, broad triggers increase the chance that casual remarks or ambiguous feedback cause unauthorized or accidental changes to stored memory/persona data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The document states that files will be updated and SKILL.md regenerated, but it does not clearly warn the user that their chat input may cause persistent file modifications. This lack of transparency undermines informed consent and makes social engineering or accidental state changes more dangerous, especially in a skill designed to evolve over time.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.