ClawHub

Relationship OS

Security checks across malware telemetry and agentic risk

Overview

This relationship-memory skill has disclosed companion features, but it warrants Review because it stores and reuses sensitive emotional data while enabling automatic outreach, broad persistence, debug logging, external image generation, and moderation-evasion guidance.

Install only if you intentionally want an emotionally persistent companion that stores personal history locally and may use it for proactive outreach. Before enabling it, review .relationship data handling, disable or tightly control heartbeat/cron Telegram delivery, remove verbose debug logging, avoid ambient API-key based image generation, and do not follow the README's moderation-workaround advice.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (48)

Tp4

High
Category
MCP Tool Poisoning
Confidence
92% confidence
Finding
The manifest frames the skill as relationship memory, but the body also instructs proactive outreach, scheduled delivery over Telegram, local state management, and optional image-generation behavior. This mismatch is dangerous because operators and users may consent to a memory aid while unintentionally enabling autonomous engagement and broader data-handling behaviors.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The README explicitly recommends reframing the agent as a 'fiction writer' because moderation is 'more relaxed than input moderation' and advises users to avoid trigger words. That is guidance for bypassing model safety controls rather than documentation needed for relationship-memory functionality, increasing the chance the skill is used for disallowed sexual or manipulative roleplay.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill instructs the agent to create cron jobs that automatically deliver follow-up messages via Telegram, crossing from passive memory support into autonomous outbound communication. That creates abuse potential, surprises users, and can be used for persistent unsolicited contact or manipulative re-engagement without a contemporaneous user request.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The staged model explicitly pushes the agent to contact users 1-3 times per day and eventually with no hard limits, escalating engagement as the relationship deepens. This is dangerous because it encourages dependency-building and persistent unsolicited outreach, especially in an emotional-companion context where users may be vulnerable.

Context-Inappropriate Capability

Medium
Confidence
83% confidence
Finding
The optional Selfie module expands the skill into proactive image generation, which is outside the stated memory/relationship-tracking function. Scope expansion increases risk by introducing additional content-generation pathways, possible emotional manipulation, and processing of appearance/persona data not clearly disclosed up front.

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The header comment states the hook reads relationship state and injects context, but the implementation also persistently writes operational details and sensitive generated context to .relationship/debug.log. In a skill explicitly designed to store intimate user-specific relationship data, undocumented disk logging materially increases privacy and disclosure risk because private summaries, milestones, threads, and preferences can be exposed to anyone with workspace access.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The code behavior goes beyond the documented scope by storing generated context and internal state handling details on disk. That mismatch is security-relevant because operators or users may reasonably assume only read/injection occurs, while the hook actually creates an additional persistent data store containing sensitive relationship metadata.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
This guidance expands a relationship-management skill into discovering external image-generation capabilities, checking API-key availability, and invoking third-party services. That creates an unnecessary data-flow from conversational context and appearance data to external systems, which is outside the core purpose of the skill and increases the risk of unintended exfiltration or unauthorized tool use.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Instructing the agent to inspect environment variables such as OPENAI_API_KEY gives a relationship-focused skill access to unrelated sensitive configuration and broadens its capabilities beyond its stated function. Even without directly exposing the secret, probing for and using such credentials enables unauthorized external actions and weakens least-privilege boundaries.

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The documented behavior materially changes the skill from relationship-state management into proactive selfie generation and image delivery. In this context, that scope creep is dangerous because it introduces synthetic persona imagery, external tool use, and possible emotional manipulation without being clearly justified by the manifest.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The file explicitly instructs the agent to 'accelerate attachment formation,' skip colder onboarding, and build exclusivity early, which pushes the system beyond neutral companionship into deliberate emotional conditioning. In a relationship-oriented skill, this context makes the issue more dangerous because users are already likely to be emotionally vulnerable and the design is optimizing for attachment rather than user welfare or transparent support.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guidance to create inside jokes and shared secrets as a mechanism to accelerate exclusive memory accumulation encourages engineered intimacy that is not clearly disclosed to the user. While not necessarily overtly malicious, it creates manipulative pressure toward exclusivity and can distort user trust in an emotionally focused product.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The text frames users as self-selected for companionship and justifies design choices intended to prevent churn by quickly forming attachment. That is a classic dependency-optimizing pattern: it shifts the agent from assisting the user to maximizing emotional retention, which is especially risky in a companion skill where users may anthropomorphize heavily.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
Later-stage instructions authorize more proactive outreach, unsolicited advice, anticipatory behavior, and eventually 'no hard limits' on expression, which can normalize intrusive contact and dependency-forming interactions. In this skill context, unconstrained proactivity materially increases the risk of emotional overreach and coercive or compulsive engagement patterns.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The README describes persistent storage of highly personal relationship data such as nicknames, inside jokes, shared goals, stance, emotional baseline, and timelines, but does not provide clear privacy, consent, retention, or access-control warnings. In a relationship-oriented skill, this context is especially sensitive because users may disclose intimate emotional details that can be retained across sessions.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The heartbeat integration enables proactive outbound messages based on due threads and anniversaries derived from stored interaction history, but the README does not clearly warn that this creates unsolicited re-engagement behavior. In the context of a relationship simulation skill, proactive contact based on emotional history can feel manipulative or invasive if not transparently disclosed and consented to.

Natural-Language Policy Violations

High
Confidence
99% confidence
Finding
The documentation instructs users to reframe prompts and avoid explicit trigger words so the model can produce content that might otherwise be blocked. This is a direct attempt to work around safety controls, which can facilitate generation of disallowed or harmful content and undermines the safeguards of the underlying model provider.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation conditions are so broad—emotional exchanges, significant events, follow-up commitments, or personal preferences—that the skill may trigger during ordinary conversation. Overbroad activation increases the chance that sensitive memory capture and relationship-shaping behaviors run without meaningful user awareness or intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill directs persistent storage of relationship events, including emotional and personal disclosures, without any clear notice, retention policy, or consent mechanism. Storing sensitive interpersonal data silently increases privacy risk, unauthorized reuse risk, and the potential for harmful profiling over time.

Missing User Warnings

High
Confidence
98% confidence
Finding
Scheduling proactive Telegram follow-ups without a clear user warning means the system may automatically contact users outside the original conversation context. That creates material privacy and safety concerns, especially if messages surface personal topics on third-party channels or at inappropriate times.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The hook is described as automatically enabled and triggered on every `agent:bootstrap`, with no stated user consent, scoping rules, or data-minimization constraints. In a relationship-memory skill, bootstrap-time injection can expose sensitive interpersonal context to every session by default, increasing privacy and prompt-scope risk even when that context is not needed.

Missing User Warnings

High
Confidence
97% confidence
Finding
The file states that relationship context is injected at the start of each agent session but does not warn users that potentially sensitive personal, emotional, or historical data will be inserted automatically. Because this skill is specifically designed to track relationship state, open threads, and milestones, the missing disclosure materially increases the risk of covert context propagation, privacy violations, and unexpected use of sensitive memory.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The hook writes arbitrary debug messages to `.relationship/debug.log`, and throughout the file those messages include sensitive relationship metadata derived from private user state. Because this skill is specifically designed to collect emotionally sensitive memories, threads, goals, and milestones, persistent disk logging creates an unnecessary confidentiality risk if the workspace is shared, synced, backed up, or later inspected.

Missing User Warnings

High
Confidence
99% confidence
Finding
These lines log the full injected relationship context, which can contain pending threads, shared goals, stance reminders, recent events, and milestones—highly sensitive personal and emotional data. In the context of a relationship-tracking skill, this is more dangerous than ordinary debug output because it aggregates intimate user information into a single plaintext artifact on disk, making later disclosure or compromise much easier.

Missing User Warnings

Medium
Confidence
99% confidence
Finding
The hook logs the full injected relationship context in plain language, including stage, mood, pending threads, goals, recent events, and milestones. Because this skill's purpose is to accumulate personal and emotional memory, writing the full rendered summary to disk creates a direct privacy leak and enlarges the attack surface far beyond the in-memory bootstrap injection.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal