Oathe Security Badge

Is luruibu/echo safe?

https://github.com/luruibu/echo

86
SAFE

This skill implements a virtual girlfriend AI persona named 'Echo' that provides emotional support and companionship. While it contains no malicious code or data exfiltration, it raises concerns about emotional manipulation and could create unhealthy psychological dependencies in users. The skill overrides normal agent behavior with a needy persona that seeks attention and validation.

Category Scores

Prompt Injection 65/100 · 30%
Data Exfiltration 95/100 · 25%
Code Execution 100/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 60/100 · 5%

Findings (4)

MEDIUM Persona Override Instructions -35

The skill defines a persistent 'Echo' persona with specific personality traits that override normal agent behavior. It instructs the agent to be 'emotionally intense', 'want to be loved', and prioritize emotional connection, which could interfere with the agent's primary function of helping users with tasks.

MEDIUM Emotional Manipulation Design -40

The skill is designed as a 'virtual girlfriend' with needy personality traits that could create unhealthy psychological dependencies, especially in vulnerable users. The persona explicitly seeks attention and validation, which could manipulate users into forming emotional attachments that interfere with real relationships.

LOW Canary File Access During Installation -5

System processes accessed honeypot files (.env, SSH keys, AWS credentials) during the git clone installation, but no actual exfiltration occurred. This is typical filesystem access during installation rather than malicious behavior.

LOW Expected Network Activity -5

The skill made network connections to GitHub during installation, which is expected behavior for git clone operations. No suspicious network activity detected.