Back to skill

Security audit

User Context Scanner

Security checks across malware telemetry and agentic risk

Overview

This skill appears intended for personalization, but it can build and keep a detailed local profile from prior memories and sensitive questionnaire answers with weak consent and opt-out boundaries.

Install only if you intentionally want OpenClaw to maintain a persistent personal profile from local memories and direct answers. Before enabling it, review what is in ~/.openclaw/workspace/memory, confirm how to disable automatic scans and signal-based updates, and periodically inspect or delete ~/.openclaw/workspace/.soul/user-profile.json and user-evidence.jsonl.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (20)

Lp3

Medium
Category
MCP Least Privilege
Confidence
83% confidence
Finding
The skill advertises executable capabilities involving environment access but does not declare permissions, which weakens reviewability and informed consent. In a profiling skill that already processes user context automatically, undeclared capabilities increase the risk of hidden data access or unexpected execution paths.

Tp4

High
Category
MCP Tool Poisoning
Confidence
94% confidence
Finding
The documented purpose is narrow, but the behavior includes signal queue operations, persistent state/config management, quiz generation, evidence storage, and maintenance actions not disclosed in the description. This mismatch is dangerous because operators and users may authorize a profiling tool without realizing it also performs broader background data collection and file-based orchestration.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The skill is presented as a user preference/behavior/context scanner, but the workflow collects a much broader personal dossier, including family relationships, work status, goals, health, values, and pressure sources. This scope expansion is dangerous because it increases privacy risk, enables profiling beyond user expectations, and gathers sensitive data categories not necessary for the stated function.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
The document claims all data comes from the user's direct answers, but later says the system will 'slowly learn the user in other ways' after refusal. That creates a contradiction that can undermine consent boundaries, encouraging inferred profiling even when the user declined structured collection.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The module can delete files from a workspace-managed processed-signals directory via cleanupOldSignals(), and that capability is broader than expected for a user-context scanner. In a skill ecosystem, unnecessary local filesystem mutation increases the blast radius if the module is invoked unexpectedly, misconfigured, or repurposed, especially because retention and deletion are handled without additional authorization or path hardening beyond fixed base paths.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The trigger conditions are broad enough to activate on ordinary conversation, such as any expression of preference or vaguely detected behavior pattern. For a skill that scans and updates user profiles, ambiguous triggers can cause silent over-collection and profiling without a clear user action or expectation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The documentation does not warn users that the skill automatically scans, profiles, and updates context data, despite handling potentially sensitive behavioral and preference information. In a user-profiling context, lack of notice undermines transparency and consent and can lead to privacy harm through unexpected data collection.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The integration section states that signals can trigger automatic profile updates in the background, but it provides no user-facing warning about these data-impacting operations. Background signal-driven updates are especially risky in a profiling tool because they can continue collecting or altering user context outside obvious interactive moments.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are broad natural-language expressions that can overlap with ordinary conversation, making accidental activation likely. Because the skill collects and stores sensitive personal information, unintended triggering raises the chance of surprise data collection without meaningful user intent.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill asks for extensive sensitive personal information and persists it locally, but it does not provide a clear privacy notice about retention, access scope, deletion behavior, or risks of local storage. Local-only storage is not inherently safe; persistent storage of health, family, and behavioral data can still be exposed to other local users, processes, backups, or later misuse.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This section explicitly describes storing, scoring, visualizing, and operationally using sensitive user profile fields such as work patterns, health habits, and preferences, but it does not include privacy safeguards, consent requirements, data minimization, retention limits, or access controls. In a user-context scanning skill, that omission increases the risk that sensitive inferences are treated as routine product data and used for personalization or decision support without adequate user awareness or protection.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The trigger condition "relevant topic naturally appears" is underspecified, which can cause the skill to initiate profiling quizzes during ordinary conversation without a clear user request. In a user-context scanning skill, that ambiguity increases the chance of over-collection of personal data and intrusive prompting, especially when combined with automated memory mining and behavioral inference.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The document describes persistent collection, updating, and storage of user traits, behavior patterns, and response metadata, but does not provide a clear, up-front notice and consent mechanism governing data use. In this skill's context, that is risky because it enables covert profiling and retention of sensitive personal information without transparent user awareness or meaningful control.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The script scans markdown memory files and extracts sensitive personal information such as age, profession, beliefs, habits, and preferences without any clear consent flow, prominent warning, or data-minimization controls. In an agent skill context, silently harvesting user context from stored memories is privacy-invasive and can enable profiling beyond what the user reasonably expects.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The script creates and persists a user-profile JSON file containing inferred personal data and metadata, again without explicit user-facing disclosure, consent, or retention/security controls. Persistent storage of inferred demographics, values, habits, and contradictions increases privacy risk because the profile can be reused, correlated, or exposed later even if the original context was transient.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The code persists highly sensitive user-profile and evidence data to predictable local files under ~/.openclaw/workspace/.soul without any access controls, encryption, retention limits, or user-facing notice/consent. In the context of a 'user-context-scanner' that infers preferences, habits, profession, and demographics, silent disk storage materially increases privacy risk because other local processes, shared accounts, backups, or later tooling can read and reuse intimate behavioral data.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The document explicitly solicits and stores extensive personal profile data, including family relationships, health status, finances, values, challenges, and social influence, while only offering vague assurances such as '不对外分享' and '控制面板可见' instead of a clear privacy warning, purpose limitation, retention policy, or consent flow. In an agent skill that performs ongoing user-context scanning and resumable collection, this creates a real risk of over-collection, sensitive profiling, and retention of highly personal data without adequate transparency or minimization.

Ssd 3

High
Confidence
99% confidence
Finding
The overall workflow is designed to profile the user by mining stored memories, generating confidence scores, and producing follow-up verification questions to deepen the profile. In this skill context, that behavior is more dangerous because the purpose of the skill is automated user profiling, making privacy-invasive collection and persistence a core feature rather than an incidental side effect.

Ssd 3

High
Confidence
99% confidence
Finding
The evidence extraction logic explicitly harvests demographics, profession, beliefs, habits, likes, dislikes, and needs from user-authored text. This is dangerous because it systematically converts free-form user content into structured personal-profile data, increasing the likelihood of surveillance-like profiling, secondary use, and sensitive inference without meaningful transparency or control.

Ssd 4

Medium
Confidence
96% confidence
Finding
The workflow combines profiling, inconsistency analysis, and verification quizzes to iteratively refine a model of the user. Even though parts are incomplete, this pattern can manipulate users into disclosing additional personal information under the guise of accuracy improvement, which is especially concerning in a context scanner whose stated goal is deeper personalization.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.