← Back to Skills Marketplace
Persona Spawn
by
Decentraliser🌵
· GitHub ↗
· v1.2.0
· MIT-0
253
Downloads
0
Stars
0
Active Installs
3
Versions
Install in OpenClaw
/install persona-spawn
Description
Spawn subagents with personas from a local workspace library or the Emblem persona marketplace. Use when a task needs a different voice, expertise, or operat...
Usage Guidance
This skill appears to do what it says: manage local personas, fetch public personas from a GitHub-hosted marketplace, assemble persona prompts, and spawn subagents. Before installing, consider: (1) personas/config.json can list shared context files; if those paths point to sensitive files (or are absolute paths), the skill will read and inject their contents into the spawned agent prompt — which may be sent to an external model provider, so avoid pointing config to secrets or private system files; (2) the marketplace importer fetches content from GitHub (raw.githubusercontent.com and a GitHub archive) — review any imported persona contents before trusting them; (3) the bundle includes example personas referencing a copyrighted character (The Mandalorian) — check licensing/policy if that matters for your org; (4) the skill writes into your workspace (personas/ and index.json), so review or sandbox those changes if you need strict file isolation. If you want to reduce risk, keep personas/config.json minimal, avoid absolute paths, and review imported persona files before using them.
Capability Analysis
Type: OpenClaw Skill
Name: persona-spawn
Version: 1.2.0
The skill contains a significant Local File Inclusion (LFI) vulnerability in `scripts/build-persona-prompt.py`, which reads and injects the full content of any file path specified in `personas/config.json` into the AI's prompt. While intended for 'org context,' this allows for the potential exfiltration of sensitive files (e.g., SSH keys or credentials) if the configuration is manipulated. Additionally, `scripts/import-persona.sh` downloads and extracts remote assets from a third-party GitHub repository (decentraliser/personas) without any integrity verification or checksums, posing a supply chain risk.
Capability Assessment
Purpose & Capability
Name/description match the delivered assets: scripts to ensure a local persona library, import personas from a public marketplace, build a deterministic persona prompt, and spawn subagents. No extra credentials or unrelated binaries are requested.
Instruction Scope
SKILL.md and scripts only reference persona files and shared org context files. One notable behavior: build-persona-prompt loads files listed in personas/config.json and will resolve absolute paths if present — meaning the skill can read any file path referenced in that config and include it in the assembled prompt. This is consistent with the feature (injecting shared org context) but is a data-exposure risk if config.json points at sensitive files.
Install Mechanism
No install spec (instruction-only), and included scripts use curl to fetch personas from raw.githubusercontent.com / github.com archives — well-known hosts. No downloads from weird or shortener URLs and no extract-from-arbitrary-URLs beyond the GitHub archive.
Credentials
The skill requires no environment variables or external credentials. Network access is used for optional marketplace imports (public GitHub raw URLs) and is reasonable for the described capability.
Persistence & Privilege
always is false. The skill writes to <workspace>/personas/ and creates a personas/config.json when bootstrapping starter personas — this is appropriate for its function. It does not request system-wide privileges or modify other skills.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install persona-spawn - After installation, invoke the skill by name or use
/persona-spawn - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.2.0
Add persona override directive, shared context_files support, deterministic prompt builder, starter bootstrap, and improved persona import flow.
v1.1.0
Improve install UX: auto-bootstrap starter personas on first use, add bulk import/archive mode, add --no-index batching, self-locating scripts, and clean up marketplace schema docs.
v1.0.0
Initial public release: persona-based subagent spawning, marketplace import, starter personas, and local index tooling.
Metadata
Frequently Asked Questions
What is Persona Spawn?
Spawn subagents with personas from a local workspace library or the Emblem persona marketplace. Use when a task needs a different voice, expertise, or operat... It is an AI Agent Skill for Claude Code / OpenClaw, with 253 downloads so far.
How do I install Persona Spawn?
Run "/install persona-spawn" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is Persona Spawn free?
Yes, Persona Spawn is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does Persona Spawn support?
Persona Spawn is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created Persona Spawn?
It is built and maintained by Decentraliser🌵 (@decentraliser); the current version is v1.2.0.
More Skills