自动分析对话历史,推荐职业与成长方向,实时反馈能力进化,助力提升效率、伙伴感和专业度。
Security Analysis
medium confidenceThe skill's content is coherent with a personalization/evolution feature, but it includes a detected prompt-injection artifact (unicode control characters) and instructs the agent to read/write local files (evolution/*.json) without declaring those config paths or any external credentials — proceed with caution.
The SKILL.md describes an agent-personalization feature (analyze chat history, recommend a class/path, save profiles/snapshots). That purpose reasonably requires reading/writing its own storage (evolution/profile.json, snapshots.json). However, the skill's registry metadata declares no required config paths, no storage, and no credentials; this mismatch (instructions expect persistent filesystem access but the skill does not declare it) is an inconsistency the user should notice. The README mentions sharing to 'Moltbook' but no credentials or endpoints are declared.
The runtime instructions explicitly tell the agent to analyze the last ~50 messages, extract features, recommend classes/paths, and read/write JSON files under an 'evolution' directory (save_snapshot/rollback). Those file and persistence operations are outside the declared requirements. The SKILL.md also contains templates referring to sharing (Moltbook) and to auto-trigger on activation. Additionally, the pre-scan flagged 'unicode-control-chars' inside SKILL.md — this can be used to hide or obfuscate instructions and is a prompt-injection signal; it increases risk that some instruction text might try to manipulate agent behavior.
Instruction-only skill (no install spec, no code files executed at install). This is lower-risk from a supply-chain/extract-of-remote-code perspective. The repo contains many markdown files describing behavior but no binaries or download/install steps.
The skill declares no environment variables or primary credential (good), yet the instructions reference sharing to Moltbook and storing persistent profiles. If sharing were implemented, credentials would be needed — none are requested. The absence of declared credentials combined with instructions that imply external posting is a mild inconsistency to be aware of.
The skill's logic saves snapshots and profile state to evolution/*.json, meaning it expects persistent storage and will alter files in workspace. It does not request 'always:true' and does not claim elevated system privileges, which is appropriate. Still, persistence plus an undetected prompt-injection artifact raises the blast radius if the agent is allowed autonomous actions.
Guidance
What to consider before installing: - Inspect the SKILL.md/README files locally for hidden characters (some editors can show/control chars). The pre-scan flagged unicode-control-chars which can hide instructions. - The skill saves and reads files under evolution/*.json (profile and snapshots). Decide whether you want a skill that persists personality/state on disk and confirm where it will write (workspace permissions). - The skill mentions sharing cards (Moltbook) but declares no credentials. If you allow posting, require explicit consent and review what data would be posted and to which endpoint. - Because it auto-activates on first run (checks for evolution/profile.json), consider disabling auto-run or requiring explicit 'Activate SkillTree' confirmation in your agent before it analyzes chat history or writes files. - If you lack trust, run this skill in a sandboxed agent (limited filesystem access) or open the markdown and remove suspicious control characters and the auto-activation line before installing. - If you want to proceed, ask the maintainer to: (1) declare the config/storage paths in metadata, (2) remove/justify any control characters, and (3) require explicit user confirmation before saving/restoring snapshots or posting externally.
Latest Release
v1.1.0
Added bilingual support (English + Chinese)
More by @0xRaini
Published by @0xRaini on ClawHub
