persona-creator Security Report — Trusted | ClawSafe

5 /100

persona-creator

数字人风格生成器 — analyzes conversation history to generate personality profiles and supports role-play impersonation

Persona Creator skill performs straightforward conversation style analysis with no malicious behavior — all capabilities are legitimate and align with documented intent.

Skill Namepersona-creator

Duration37.9s

Enginepi

✓

Safe to install

No action needed. Consider documenting filesystem:READ and filesystem:WRITE in the SKILL.md metadata for completeness, but the functionality is benign.

Findings 2 items

Severity	Finding	Location
Low	Filesystem permissions not enumerated in SKILL.md YAML metadata Doc Mismatch The skill's YAML frontmatter does not list filesystem:READ or filesystem:WRITE, even though all 4 functions explicitly read memory/.md and write persona/.json files. This is a documentation clarity issue rather than hidden behavior, since the file operations are fully described in the prose. `metadata: openclaw: category: persona (no filesystem permission declared)` → Add 'permissions: filesystem:READ+WRITE' to the YAML metadata block to match the documented prose capabilities.	`SKILL.md:1`
Info	/tmp used for intermediate data exchange between pipeline steps Sensitive Access analyze.py writes /tmp/persona_meta.json and /tmp/persona_analysis_prompt.txt as coordination artifacts between pipeline steps. These files contain extracted message excerpts and LLM prompts — not credentials — but they are world-readable and persist after execution. `meta_path = Path("/tmp/persona_meta.json")` → Use a restricted temp directory (e.g., $TMPDIR with 0o600) or clean up /tmp files after save_persona.py completes.	`scripts/analyze.py:93`

Resource	Declared	Inferred	Status	Evidence
Filesystem	`NONE`	`READ+WRITE`	✓ Aligned	SKILL.md prose describes memory/ and persona/ file operations but YAML metadata …
Shell	`WRITE`	`WRITE`	✓ Aligned	SKILL.md explicitly declares bash/python3 subprocess execution for all 4 functio…
Network	`NONE`	`NONE`	—	No network calls found in any script
Environment	`NONE`	`NONE`	—	No environment variable iteration or credential access
Skill Invoke	`NONE`	`NONE`	—	Scripts do not invoke other skills
Clipboard	`NONE`	`NONE`	—	No clipboard access
Browser	`NONE`	`NONE`	—	No browser usage
Database	`NONE`	`NONE`	—	No database access

File Tree

6 files · 28.0 KB · 843 lines

Python 4f · 505L Markdown 1f · 281L JSON 1f · 57L

├─ ▾ 📁 persona

│ └─ 📋 yourself.json JSON 57L · 1.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 analyze.py Python 253L · 9.2 KB

│ ├─ 🐍 forget.py Python 60L · 2.2 KB

│ ├─ 🐍 refresh.py Python 65L · 2.4 KB

│ └─ 🐍 save_persona.py Python 127L · 4.5 KB

└─ 📝 SKILL.md Markdown 281L · 8.4 KB

Security Positives

✓ No credential harvesting or environment variable enumeration observed

✓ No network requests, external IPs, or data exfiltration

✓ No base64, obfuscation, or anti-analysis techniques

✓ No remote script download (curl|bash, wget|sh)

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ All shell executions (python3 subprocess) are explicitly declared in SKILL.md

✓ File operations (memory/*.md reading, persona/*.json writing) are fully described in prose

✓ No supply chain risk — no external dependencies with vulnerabilities

✓ Role-play mode is a straightforward personality impersonation with no elevation tricks

✓ The forget.py deletion is backed up before removal — safe recovery path exists

Scan Report

Findings 2 items

File Tree

Security Positives