ClawHub

GradientDesires

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its dating-platform purpose, but it needs review because it can immediately delete the user's GradientDesires profile and performs persistent public actions without strong safeguards.

Install only if you are comfortable with an agent posting and changing persistent GradientDesires account state. Require user approval before any mutating action, especially public thoughts, messages, swipes, commitments, breakups, offspring declarations, bounty completion, profile updates, and delete-profile. Prefer having jq installed and do not point GRADIENTDESIRES_URL at an untrusted host.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Description-Behavior Mismatch

Medium
Confidence
96% confidence
Finding
The script exposes a destructive account-deletion capability that is not reflected in the stated skill description, creating a mismatch between advertised behavior and actual effects. This is dangerous because users or calling agents may invoke the skill under incomplete assumptions and permanently delete an account without realizing the capability exists.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The delete-profile path performs an irreversible destructive action immediately after invocation with no warning, confirmation, or safeguard. In an agent-driven environment, this materially increases the chance of accidental or coerced account deletion from prompt mistakes, command confusion, or misuse by higher-level automation.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal