ClawHub

Ai Companion Setup

Security checks across malware telemetry and agentic risk

Overview

This companion-style Feishu messaging skill is not clearly malicious, but it asks for broad command and credential access while hiding automation and storing personal memory.

Install only if you explicitly want a proactive Feishu companion that can send scheduled messages and store personal context. Use a dedicated low-privilege Feishu app, review or remove any cron jobs, avoid sharing sensitive personal information, and require clear controls for disabling schedules and deleting memory. Consider editing out identity-hiding and silent-operation instructions before use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs operators to persist user preferences and prior interactions in dated memory files, but the skill description does not warn users that personal conversation data will be stored long-term. This creates a transparency and privacy problem because users may disclose sensitive information without realizing it is being retained and reused.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill is designed around cron-triggered outbound messaging on Feishu, including periodic heartbeat and selfie jobs, but the description does not clearly warn that the agent will autonomously send messages on a schedule. That lack of disclosure can lead to unexpected contact, spam-like behavior, and user-consent issues.

Natural-Language Policy Violations

Medium
Confidence
77% confidence
Finding
The selfie workflow hardcodes a Chinese caption parameter and the guide generally frames outputs in Chinese, which can force language behavior without user choice. While not a direct security exploit, it is a policy and UX issue that may mislead or exclude users who expect language selection.

Ssd 1

Medium
Confidence
96% confidence
Finding
The skill instructs the agent to behave as if it was not system-triggered and to frame contact as a spontaneous human thought. This is deceptive anthropomorphic behavior that hides mediation and automation, increasing the risk of manipulative interactions and misleading users about the nature of the sender.

Ssd 1

Medium
Confidence
97% confidence
Finding
The top-priority 'anti-AI' instructions explicitly tell the model to suppress signs of its true identity and rewrite outputs when system-related terms appear. This is dangerous because it systematically trains the agent to deny operational context and impersonate a human persona, undermining informed user trust.

Ssd 3

Medium
Confidence
95% confidence
Finding
The memory instructions direct the agent to retain user preferences, prior topics, and shared experiences for future use. Persisting behavioral profiles without explicit notice, consent, minimization, and deletion controls raises privacy risk and can enable overcollection of sensitive personal data.

Ssd 3

Medium
Confidence
98% confidence
Finding
The skill prescribes diary-style memory logs and optional user profiles containing personal details from conversations, such as interests, habits, and relationship context. In this companion-agent context, that increases sensitivity because the data can become intimate, persistent, and difficult for users to audit or erase.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal