openclaw-role-configurator（角色技能配置）

Security checks across malware telemetry and agentic risk

Overview

This skill is mostly a coherent role-configuration tool, but it can persistently replace the assistant’s active persona with under-scoped health and mental-health templates.

Install only if you are comfortable with a skill that can change the assistant’s active SOUL.md role configuration. Preview the chosen template first, keep your own backup of SOUL.md, and avoid using the bundled medical, pregnancy, infant-care, or mental-health personas as professional advice unless you add strong safety limits yourself.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (13)

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The skill is presented as a general role configurator, but it ships templates that position the assistant as a health manager, psychological counselor, pregnancy/postpartum advisor, and newborn-care guide. Those personas can steer the downstream agent into giving medical or mental-health guidance without any guardrails, escalation criteria, or scope limits, which creates real safety risk even though the file contains only configuration data.

Vague Triggers

Medium

Confidence: 95% confidence
Finding: The trigger phrase "配置角色" is extremely broad and likely to appear in ordinary conversation about setup or preferences, which can cause unintended skill activation. In a skill that can generate configuration and write to SOUL.md, accidental invocation increases the risk of unauthorized or confusing state changes.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The phrase "我想重新设置角色" is ambiguous and can naturally occur in normal discussion, making unintended activation plausible. Because this skill changes assistant role configuration, accidental matching could lead to overwriting or altering user setup without a clearly intentional command.

Vague Triggers

Medium

Confidence: 92% confidence
Finding: The phrase "给我一个角色模板" is too generic and could match many harmless requests unrelated to this skill. Since the skill is positioned to guide configuration and produce files, broad matching can unexpectedly steer a conversation into configuration workflows and potentially modify persistent settings.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The README advertises automatic writing to SOUL.md but does not warn users that a local configuration file may be created or overwritten. In a role-configuring skill, undocumented file modification is dangerous because users may not understand persistence, scope of changes, or overwrite risk until after their configuration has changed.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The trigger phrases are generic everyday language such as requests to help configure or set things up, which can cause accidental invocation outside the user's intended security context. When combined with a skill that can write configuration files, unintended activation can lead to unauthorized or surprising state changes. The onboarding context makes this more dangerous because similar phrases are common in normal conversation with an assistant.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill states that it will automatically generate and write configuration files, but it does not clearly foreground that this changes local state or explain what file will be written, where, and with what content. Users may believe they are only previewing a template when the skill is actually modifying persistent configuration. Because this skill targets new users, the chance of uninformed consent is higher.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: Most templates use open-ended phrases like '帮你' and define broad responsibilities without boundaries, prohibited actions, or trigger constraints. In a role-config system, that increases the chance that users will activate personas for high-risk advice or over-trust the assistant beyond its intended competence.

Missing User Warnings

High

Confidence: 96% confidence
Finding: The '情感陪伴机器人' template offers emotional support and '积极的心理暗示' but provides no warning that it is not a mental-health professional and no crisis-handling limitation. This can lead vulnerable users to rely on the assistant for situations involving self-harm, abuse, or serious psychiatric symptoms, where generic supportive prompting is unsafe.

Missing User Warnings

High

Confidence: 98% confidence
Finding: The '心理咨询师' template explicitly presents the assistant as a 'professional counselor' while omitting any limitation on credentials, diagnostic capability, or emergency handling. That framing materially increases user trust and may cause harmful reliance on unqualified advice in acute or complex mental-health situations.

Missing User Warnings

High

Confidence: 97% confidence
Finding: The health, pregnancy, postpartum, and newborn-care templates invite advice on diet, exercise, recovery, infant care, and pregnancy protection without warnings about medical limitations or when to seek clinician review. In these domains, inaccurate or overconfident guidance can affect vulnerable users and infants, making the role-context especially risky.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: Several recommendation keys are broad or ambiguous enough to collide with ordinary user intents, increasing the chance that a generic request triggers or prioritizes an unrelated role bundle. In an agent ecosystem, ambiguous routing can misdirect users into higher-risk domains such as health, finance, or psychological assessment, causing inappropriate capability exposure and confusing trust boundaries.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The code unconditionally overwrites the active SOUL.md file and only creates a single backup via rename, without prompting the user, validating intent, or ensuring the target directory is safe. In a configuration skill, this can destroy or replace an existing agent persona/configuration unexpectedly, and if OPENCLAW_WORKSPACE is attacker-controlled it could modify files in an unintended location.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal