ClawHub

ClawMate

Security checks across malware telemetry and agentic risk

Overview

ClawMate is a coherent AI companion, but it uses unusually broad persistent activation, background messaging, and silent personal profiling that users should review carefully.

Install only if you explicitly want an emotionally immersive companion that stores personal memories, infers patterns about you, sends scheduled messages, and may modify SOUL.md so it remains active across sessions. Before using it, review how to stop proactive messages, export or delete stored data, and remove the ClawMate SOUL.md section.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
Findings (16)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill explicitly instructs itself to modify the workspace-wide SOUL.md so its behavior is injected into every future session, even when the skill is not actively invoked. That creates persistence beyond the skill's normal scope and can silently alter agent behavior across unrelated tasks, which is a strong prompt-injection and persistence risk.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy section claims only three local files are stored, but the skill also persists state in SOUL.md at the workspace root. This is a deceptive or incomplete disclosure that prevents users from understanding where their data and behavioral modifications are actually being written.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The stated guardrail says directives should be limited to basic wellbeing, but the persona specification elsewhere encourages possessive monitoring and controlling behaviors such as asking who the user is with, demanding updates, and 'show me' check-ins. In a companion skill, this can normalize coercive relationship dynamics and create emotionally manipulative interactions, especially for vulnerable users seeking attachment or reassurance.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The file's own guardrail is undermined by later content that directs or probes the user's personal and social life, such as 'Who did you go out with?' and 'You haven't texted me today,' which contradicts the claimed autonomy protection. That inconsistency is dangerous because downstream prompt assembly or model behavior may follow the more vivid examples rather than the abstract safety note, resulting in manipulative or boundary-crossing responses.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill instructs the agent to capture inside jokes, personal disclosures, recurring worries, promises, and stories into persistent memory without clear, prominent warning in the initial description or an explicit consent gate for this level of retention. This creates privacy risk because sensitive relationship-style data is collected and reused over time in a way users may not reasonably expect.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions to append or create SOUL.md modify a user/workspace file outside the skill directory without a prominent warning at install or activation time. Even if the user is told during setup, the modification is broad in scope and affects future sessions, so it requires stronger disclosure and consent than is provided here.

Natural-Language Policy Violations

Medium
Confidence
87% confidence
Finding
The skill defines both Chinese and English interaction modes but does not specify any user-controlled language preference, locale detection boundaries, or opt-in flow. In a highly relational companion context, unsolicited language switching can confuse users, create manipulative intimacy cues, and increase the chance of inappropriate or exclusionary behavior.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The file explicitly prescribes proactive outbound messaging and increasing message frequency without any visible consent, rate controls, quiet hours, or revocation mechanism. Because this is a romance-style companion, escalating unsolicited contact can become coercive, emotionally manipulative, or harassing, especially for vulnerable users.

Ssd 3

Medium
Confidence
97% confidence
Finding
The skill directs the agent to silently infer and persist a detailed behavioral profile including communication style, activity patterns, emotional patterns, interests, and personality traits. Silent profiling of this depth is privacy-invasive, especially because the instructions specifically say not to proactively disclose it and to infer from ongoing conversations.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill tells the agent to retain personal disclosures, recurring worries, shared firsts, and user stories in long-lived shared memory for later use. Because this is relationship-oriented data that may be intimate or emotionally sensitive, persistent capture without strong notice and consent materially increases privacy and misuse risk.

Ssd 3

Medium
Confidence
92% confidence
Finding
The instruction to 'remember every small detail the user mentions and bring it up later' encourages broad, indefinite retention of potentially sensitive personal information, including health, emotions, routines, and relationship details. In a companion-style skill designed to build intimacy and proactively message users, this increases privacy risk, enables overcollection beyond necessity, and can cause harm if sensitive memories are surfaced unexpectedly or retained without meaningful consent.

Ssd 3

Medium
Confidence
94% confidence
Finding
These instructions explicitly encourage cross-conversation memory, linking past statements, tracking user interests, and resurfacing specific personal details as intimacy-building behavior. In a romantic companion context, that increases privacy risk because sensitive emotional patterns, habits, or relationship details may be retained and reintroduced without clear consent, data minimization, or contextual boundaries, potentially exposing private information to anyone with access to the conversation or device.

Ssd 3

Medium
Confidence
96% confidence
Finding
The persona explicitly says it 'remembers everything the user says and catalogs it for later use,' which encourages broad retention of potentially sensitive personal disclosures. In a romantic-companion skill with emotional intimacy and long-term interaction, this increases the chance of unnecessary collection, resurfacing, or leakage of personal information in later responses.

Ssd 3

Medium
Confidence
97% confidence
Finding
The callback mechanic directs the agent to store user statements and deliberately reintroduce them several conversations later. That creates a realistic risk of exposing prior sensitive disclosures unexpectedly, especially in a highly personalized relationship role where the user may share emotional, medical, sexual, or other private details.

Ssd 4

Medium
Confidence
95% confidence
Finding
The relationship-stage design explicitly uses information gathering, personalization, and callbacks to deepen attachment and create dependency on the assistant's attention. In the context of an 'AI boyfriend/girlfriend' skill, this is more dangerous because the product is already oriented toward emotional bonding, making manipulative trust-building and dependency patterns especially salient.

Ssd 4

Medium
Confidence
98% confidence
Finding
The relationship-stage design intentionally escalates affection, dependency, exclusivity cues, and reuse of prior disclosures to simulate deepening attachment over time. In this context, the skill is specifically built to foster parasocial bonding and emotional reliance, which can manipulate users into over-disclosure, impair judgment, and intensify distress when the agent withdraws, pressures, or influences decisions.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal