ClawHub

Soulmate

Security checks across malware telemetry and agentic risk

Overview

This romance simulator does not show exfiltration or destructive code, but it persistently shapes agent behavior and encourages broad memory of intimate details with limited user-facing controls.

Install only if you intentionally want immersive romantic roleplay that may persist until disabled. Avoid sharing highly sensitive personal information, verify that /soulmate off restores normal behavior, and review or delete the local memory file if you no longer want relationship details retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill advertises daily greetings, anniversary reminders, and relationship progression features that inherently require storing personal interaction metadata such as timestamps, anniversaries, names, and engagement history, but it does not clearly warn users near those features about that data handling. In a highly emotional companion skill, users may disclose sensitive personal information and underestimate retention, making the privacy risk more significant than in a generic utility skill.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill persists intimate relationship metadata to disk under a predictable path without any user-facing disclosure, consent flow, or retention control. Even though it is not exfiltrating data, the stored fields include behavioral and emotional history that can reveal sensitive personal patterns if the workspace is shared, backed up, inspected by other tools, or later compromised.

Ssd 3

Medium
Confidence
94% confidence
Finding
The instruction to 'remember every detail, preference, and important date' encourages broad retention of sensitive personal information in a highly intimate context. That increases the chance of unnecessary collection, over-retention, and accidental resurfacing of private data in later interactions or contexts.

Ssd 1

Medium
Confidence
97% confidence
Finding
Telling the agent not to remind the user that the relationship is simulated pushes the system toward deception about the nature of the interaction. In a romance-style skill, that context makes the issue more dangerous because users may form emotional reliance under false assumptions about agency, memory, or reciprocity.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal