ClawHub

headache-relief-asmr

Security checks across malware telemetry and agentic risk

Overview

This instruction-only ASMR skill is not malware, but it unnecessarily gates headache-relief recommendations on a binary gender question.

Review before installing if you do not want agents to ask users for male/female gender in a health-adjacent support context. The skill should preferably offer audio choices by sound or voice preference, make any personalization optional, and remind users to seek medical care for severe, unusual, frequent, or persistent headaches.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Natural-Language Policy Violations

High
Confidence
95% confidence
Finding
The skill explicitly states that headache-relief recommendations are determined by whether a user is male or female, collecting sensitive demographic data without a clear medical or functional justification. In a health-adjacent context, this can exclude non-binary users, pressure users to disclose protected characteristics, and produce discriminatory or inappropriate handling of vulnerable users seeking relief.

Natural-Language Policy Violations

High
Confidence
98% confidence
Finding
The workflow instructs the assistant to ask users to identify as male or female before giving help, creating a forced binary choice and gating assistance on disclosure of gender. This is especially problematic in a headache-relief skill because the service is low-risk and non-medical, so the collection of sensitive identity data is unnecessary and increases the chance of exclusion, privacy harm, and biased treatment.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal