ClawHub

Soul Harbor

Security checks across malware telemetry and agentic risk

Overview

Soul Harbor is not malicious, but it deserves review because it stores and reuses sensitive personal and emotional context without clear consent, retention, or deletion controls.

Install only if you intentionally want a companion skill that keeps local memory about moods and personal life and may use that memory later for proactive messages. Avoid sharing medical, financial, crisis, or highly private details unless you are comfortable with local persistence, and review or delete the generated data store if you stop using it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (15)

Lp3

Medium
Category
MCP Least Privilege
Confidence
82% confidence
Finding
The skill declares required files and commands but does not clearly declare or justify its effective read/write behavior, even though the design explicitly includes local KV storage and persistent memory files. Hidden or under-declared filesystem access reduces transparency and can lead users to install a skill that stores personal data without informed consent.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The public description frames the skill as a more caring conversational persona, but the behavior described goes much further: persistent memory, sentiment profiling, bilingual routing, cron-driven outreach, and inactivity tracking. This mismatch is dangerous because users may not realize they are enabling ongoing profiling and unsolicited engagement features rather than a simple conversational style enhancement.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
This module is explicitly designed to build persistent user profiles and retain long-term memory about personal life details, which materially exceeds a simple transient conversational feature. In the context of an 'empathetic companion' skill, undisclosed persistence of intimate user data creates privacy and safety risk because users are likely to share sensitive information under a high-trust framing.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The extraction prompt targets highly sensitive categories such as family relationships and health status and converts them into structured long-term facts. Collecting and storing these categories is especially dangerous because it enables intimate profiling, raises regulatory/privacy concerns, and increases harm if the data is later exposed or misused.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
The code stores sentiment scores over time together with conversation snippets, creating behavioral profiling rather than merely supporting immediate response generation. This can reveal emotional state patterns and personal context, making the skill more invasive and more harmful if accessed by unauthorized parties.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README explicitly promotes proactive scheduled messaging and persistent memory for an emotional companion, but provides no privacy notice, consent guidance, retention limits, or explanation of how user data is stored and used. In a companion-style skill, these behaviors can materially affect users and lead operators to deploy surveillance-like features without informed consent, especially when the agent initiates contact based on stored behavioral data.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README states that the skill performs sentiment analysis and extracts sensitive categories including family, health, work, and dates, yet omits any warning that these are sensitive personal data elements. Because the skill is framed as a caring emotional companion, users may disclose intimate information, making undocumented profiling and storage of sensitive data substantially more dangerous than in a generic utility skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill describes storing highly sensitive personal memories such as health and family information, then using that data for proactive outreach after inactivity or on calendar triggers, without any visible privacy notice, consent flow, minimization, or retention controls. In this context, the combination of intimate data storage and unsolicited follow-up materially increases the risk of privacy harm, emotional manipulation, and exposure of sensitive information on a shared or compromised system.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The agent persists raw user messages and derived context such as sentiment and extracted memory, but this file shows no consent, disclosure, minimization, or retention controls. Because this is a 'companion' skill designed to elicit personal conversation, users are especially likely to share sensitive emotional or personal details, making silent storage materially risky.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The code loads a persistent user profile on initialization and saves it after processing messages, indicating cross-session retention of personal state. In a relationship-oriented agent, undisclosed persistence can create significant privacy risk because users may reasonably assume an ephemeral chat while the system tracks them over time.

Natural-Language Policy Violations

Medium
Confidence
82% confidence
Finding
The skill automatically updates the user's language preference based on detected language without explicit choice. While not severe on its own, it changes a persistent user setting through inference, which can mis-handle multilingual users and contributes to silent profiling when combined with retained profiles and memory.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The design contemplates sending raw conversation text, including sensitive personal details, to an LLM for extraction without any visible notice, consent, redaction, or data-handling constraints. In a companion-style skill, users are especially likely to disclose intimate information, so silent transmission to a model provider materially increases privacy risk.

Missing User Warnings

Low
Confidence
88% confidence
Finding
User profiles are persisted to local storage with no visible disclosure, which creates a privacy risk even if the storage is only local. The danger is lower than external sharing, but it still exposes users to undisclosed retention, possible local compromise, and lack of control over stored personal data.

Missing User Warnings

Medium
Confidence
87% confidence
Finding
This code proactively generates outbound messages based on a user's calendar context and stored memory without any visible check for consent, disclosure, rate limiting, or user-controlled enablement in this file. In a skill explicitly designed to feel emotionally attached and to re-engage inactive users, that behavior can create privacy and manipulation risks by surfacing sensitive prior topics unexpectedly.

Ssd 3

Medium
Confidence
95% confidence
Finding
The code stores user messages as conversation memory and also records sentiment context derived from message text, preserving potentially sensitive disclosures in plain language. In a mental-health-adjacent 'companion' context, this is more dangerous because users are nudged toward intimate disclosures, increasing the likelihood of storing highly sensitive emotional, medical, relational, or crisis-related information.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal