ClawHub

Family Soul

Security checks across malware telemetry and agentic risk

Overview

This skill has a coherent chat-analysis purpose, but it handles very sensitive conversation data with under-disclosed cloud processing, bundled private-looking chat exports, and hardcoded API credentials.

Review carefully before installing. Remove the bundled chat/exported output data, delete and rotate the hardcoded Kimi keys, fix the parser so it processes only the user-selected file, and get consent from chat participants before sending logs or derived profiles to any cloud AI provider.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (37)

Lp3

Medium
Category
MCP Least Privilege
Confidence
93% confidence
Finding
The skill declares no permissions even though its documented behavior clearly requires environment access, reading private chat exports, writing persona files, network access to external APIs, and shell execution of pipeline scripts. This undermines informed consent and review because users and hosts cannot accurately assess the operational and privacy risk before activation.

Tp4

High
Category
MCP Tool Poisoning
Confidence
97% confidence
Finding
The documented purpose frames the skill as family chat analysis, but the behavior indicates broader orchestration, external transmission of sensitive content, and additional integrations not clearly disclosed in the top-level description. This mismatch is dangerous because users may provide intimate family data without realizing it will be sent to third-party services or processed by a more complex runner than advertised.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code explicitly sends family chat chunks to Anthropic's external Batch API for processing, which is a material data-export behavior for highly sensitive interpersonal content. In the context of a skill marketed as family chat analysis and persona extraction, this is dangerous because it can expose intimate household data to a third party without clear in-band consent, minimization, or enterprise-grade controls shown here.

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
This code initializes an external Kimi client and tests connectivity for a workflow that processes exported family chat records, creating a clear path for private chat content to leave the local environment. In the context of a skill explicitly about deriving digital personas from family group chats, undisclosed third-party transmission materially increases privacy and consent risk because the data is highly sensitive and can reveal intimate behavioral profiles.

Context-Inappropriate Capability

High
Confidence
100% confidence
Finding
A hardcoded fallback API key is embedded directly in source code, which exposes a live credential to anyone with repository access and encourages unauthorized reuse. Because this skill handles family chat data, a baked-in credential also enables silent third-party processing without informed user setup, compounding both secrecy and privacy risks.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
On connection failure, the script prints the first part of the API key, which leaks credential material into console logs, CI logs, shell history captures, or support screenshots. Even partial secret disclosure weakens secrecy guarantees and can aid credential identification or misuse, especially when combined with the fact that the full key is already hardcoded elsewhere.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The script loads family chat chunks and sends them to a third-party Kimi endpoint for processing. Because the skill handles highly sensitive interpersonal and behavioral data, undisclosed external transmission materially increases privacy, confidentiality, and compliance risk beyond a locally framed persona-extraction workflow.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded third-party API key is embedded directly in source code, which exposes the credential to anyone with repository or package access and enables unauthorized use of the external service. This also couples a sensitive capability to the skill without user control, creating both credential-abuse risk and unexpected external data processing.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The code transmits family chat chunks to a third-party API for analysis, which is a material data flow not disclosed by the skill description. Because the content is explicitly private family conversation data used to derive digital personas, sending it off-device substantially raises privacy, consent, and compliance risk.

Context-Inappropriate Capability

High
Confidence
94% confidence
Finding
The file hard-codes use of a remote model endpoint and corresponding credentials for processing sensitive family chats. In this context, remote processing is a high-risk capability because it exposes intimate conversation data and derived behavioral profiles to an external provider without clear necessity or user choice.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
This code sends synthesized family observations and prompts to Anthropic via `client.messages.stream`, which transfers intimate profiling data to a third-party service. Given the skill's purpose is to derive family personas from private chat logs, the exported content is highly sensitive, and the risk is amplified because there is no minimization, consent gate, or local-only fallback in this path.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
The file transmits sensitive family profiling content to an external LLM provider using an API key, creating a real privacy and data-exfiltration risk. In this skill context, the data concerns household relationships, emotional patterns, quotes, and personality inference, making external transfer particularly sensitive and potentially harmful if retained, misused, or disclosed.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The file is explicitly designed to process sensitive family/group-chat observations and sends synthesized behavioral content to a third-party LLM endpoint. In this skill context, the data concerns personal relationships and personality traits, making undisclosed external transfer especially privacy-invasive and riskier than generic text processing.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
A hardcoded API key is embedded directly in source code and used to transmit sensitive chat-derived content to an external provider. This creates two serious risks at once: credential exposure/reuse by anyone with code access and uncontrolled third-party handling of private family behavioral data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README explicitly promotes deriving persistent 'digital personas' from family group chat exports, which are highly sensitive and likely to contain intimate personal data about multiple people, including non-consenting participants. Omitting any privacy warning, consent guidance, retention policy, or data minimization advice materially increases the chance that users will process and store sensitive family data in unsafe ways.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The README requires an ANTHROPIC_API_KEY and instructs users to process raw chat exports, strongly implying that chat contents may be sent to an external LLM provider. Failing to disclose third-party transmission is dangerous because users may unknowingly upload private family conversations, exposing sensitive data to external processing, logging, retention, or cross-border transfer risks.

Vague Triggers

Medium
Confidence
83% confidence
Finding
The trigger phrases are broad enough to activate on ordinary requests about analyzing chats or generating personas, which can cause the skill to engage unexpectedly on sensitive user content. In this context, accidental activation is more dangerous because the workflow handles private family conversations and may lead to file processing and external API transfer.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow describes sending chat logs to Claude APIs but does not provide a clear upfront warning that highly sensitive family messages will be transmitted to an external processor. This creates a serious privacy and compliance risk because users may unknowingly disclose third-party personal data, including conversations from people who did not consent.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill documents output creation but does not clearly warn that it writes durable files containing inferred sensitive personality profiles to disk. These artifacts can outlive the original task, be copied into other agent contexts, or be accessed by other users/processes on the system.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This pipeline processes highly sensitive family chat logs and writes reconstructed conversation chunks, participant roles, timestamps, and full text back to disk in clear form. In the context of a 'digital persona' skill, these outputs materially increase privacy risk because they centralize intimate behavioral data that could be exposed through local compromise, backups, logs, syncing, or accidental sharing.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
build_request embeds raw conversation text into prompts that are then submitted to Anthropic, but this file shows no disclosure, consent gate, or sanitization before transfer. Because the source material is family/group chat content used to derive personas, the privacy sensitivity is unusually high, making undisclosed external processing a significant data-handling risk.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The design permanently caches raw model responses to data/observations/raw_cache.jsonl, increasing the persistence of potentially sensitive derived content without visible retention limits or protection controls. Even though this is not the original chat transcript, model outputs can still contain quotations, summaries, or inferred sensitive traits about family members, so indefinite local storage expands exposure in case of local compromise or mishandling.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code sends raw conversation chunk text to a third-party API (`api.moonshot.cn`) for processing. In the context of family/group chat analysis, this data is likely highly sensitive and may include personal, relational, or identifying information, so transmitting it off-device without an explicit consent gate or clear warning creates a real privacy and data-handling risk.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The code sends a prompt derived from chat chunks to an external API without any user-facing notice, consent gate, or data handling explanation. Since the skill's purpose is to extract personas from family conversations, the transmitted content is exceptionally sensitive and could expose identities, relationships, habits, and emotional traits to a third party.

Missing User Warnings

High
Confidence
99% confidence
Finding
Using a hardcoded fallback API key obscures credential provenance and allows remote service use even when the user has not intentionally configured access, undermining transparency. In a workflow involving family chat archives, that design can cause sensitive data to be processed externally without meaningful user awareness or control.

VirusTotal

67/67 vendors flagged this skill as clean.

View on VirusTotal