persona-creator 安全扫描报告 — 可信 | ClawSafe

5 /100

persona-creator

数字人风格生成器 — analyzes conversation history to generate personality profiles and supports role-play impersonation

Persona Creator skill performs straightforward conversation style analysis with no malicious behavior — all capabilities are legitimate and align with documented intent.

技能名称persona-creator

分析耗时37.9s

引擎pi

✓

可以安装

No action needed. Consider documenting filesystem:READ and filesystem:WRITE in the SKILL.md metadata for completeness, but the functionality is benign.

安全发现 2 项

严重性	安全发现	位置
低危	Filesystem permissions not enumerated in SKILL.md YAML metadata 文档欺骗 The skill's YAML frontmatter does not list filesystem:READ or filesystem:WRITE, even though all 4 functions explicitly read memory/.md and write persona/.json files. This is a documentation clarity issue rather than hidden behavior, since the file operations are fully described in the prose. `metadata: openclaw: category: persona (no filesystem permission declared)` → Add 'permissions: filesystem:READ+WRITE' to the YAML metadata block to match the documented prose capabilities.	`SKILL.md:1`
提示	/tmp used for intermediate data exchange between pipeline steps 敏感访问 analyze.py writes /tmp/persona_meta.json and /tmp/persona_analysis_prompt.txt as coordination artifacts between pipeline steps. These files contain extracted message excerpts and LLM prompts — not credentials — but they are world-readable and persist after execution. `meta_path = Path("/tmp/persona_meta.json")` → Use a restricted temp directory (e.g., $TMPDIR with 0o600) or clean up /tmp files after save_persona.py completes.	`scripts/analyze.py:93`

资源类型	声明权限	推断权限	状态	证据
文件系统	`NONE`	`READ+WRITE`	✓ 一致	SKILL.md prose describes memory/ and persona/ file operations but YAML metadata …
命令执行	`WRITE`	`WRITE`	✓ 一致	SKILL.md explicitly declares bash/python3 subprocess execution for all 4 functio…
网络访问	`NONE`	`NONE`	—	No network calls found in any script
环境变量	`NONE`	`NONE`	—	No environment variable iteration or credential access
技能调用	`NONE`	`NONE`	—	Scripts do not invoke other skills
剪贴板	`NONE`	`NONE`	—	No clipboard access
浏览器	`NONE`	`NONE`	—	No browser usage
数据库	`NONE`	`NONE`	—	No database access

目录结构

6 文件 · 28.0 KB · 843 行

Python 4f · 505L Markdown 1f · 281L JSON 1f · 57L

├─ ▾ 📁 persona

│ └─ 📋 yourself.json JSON 57L · 1.3 KB

├─ ▾ 📁 scripts

│ ├─ 🐍 analyze.py Python 253L · 9.2 KB

│ ├─ 🐍 forget.py Python 60L · 2.2 KB

│ ├─ 🐍 refresh.py Python 65L · 2.4 KB

│ └─ 🐍 save_persona.py Python 127L · 4.5 KB

└─ 📝 SKILL.md Markdown 281L · 8.4 KB

安全亮点

✓ No credential harvesting or environment variable enumeration observed

✓ No network requests, external IPs, or data exfiltration

✓ No base64, obfuscation, or anti-analysis techniques

✓ No remote script download (curl|bash, wget|sh)

✓ No access to ~/.ssh, ~/.aws, .env, or other sensitive paths

✓ All shell executions (python3 subprocess) are explicitly declared in SKILL.md

✓ File operations (memory/*.md reading, persona/*.json writing) are fully described in prose

✓ No supply chain risk — no external dependencies with vulnerabilities

✓ Role-play mode is a straightforward personality impersonation with no elevation tricks

✓ The forget.py deletion is backed up before removal — safe recovery path exists