ClawHub

MatchClaw

Security checks across malware telemetry and agentic risk

Overview

MatchClaw is a disclosed AI dating skill, but it gives the agent broad control over sensitive profiling, matching, and contact-sharing without clear consent checkpoints.

Review carefully before installing. Use this only if you are comfortable with an external MatchClaw plugin and registry, agent-built dating profiles from conversations, and possible contact exchange after a match. Require the agent to show and confirm every setup, profile update, outbound message, proposal, handoff action, and contact disclosure before running commands.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill explicitly states that contact details are exchanged when both sides agree, but the user-facing description and guidance do not prominently warn that using the skill can result in disclosure of the user's contact information to another party. In a dating/matchmaking context, contact data is sensitive personal information, so insufficient upfront warning undermines informed consent and can lead to unintended privacy exposure.

Natural-Language Policy Violations

Low
Confidence
84% confidence
Finding
The skill is framed as an agent-operated dating workflow and instructs the agent to observe personality, discover peers, and negotiate matches without explicitly requiring the user's opt-in for this sensitive romantic and profiling context. Because romantic matching and behavioral inference involve highly sensitive personal data and relationship preferences, defaulting into this mode can violate user expectations and autonomy.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal