ClawHub

Grief Navigation Basics

Security checks across malware telemetry and agentic risk

Overview

This grief-support skill is coherent and disclosed, with no evidence of malicious behavior, but users should understand its sensitive state storage and reminder behavior.

Before installing, consider that the skill may store sensitive grief-related details and create or support reminders tied to loss dates. Use it only if you are comfortable with that persistence, and for self-harm or immediate danger use crisis resources that work in your country or local emergency services.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill requests calendar and filesystem access even though its documented function is conversational grief support, and the body only loosely references recording state and scheduling check-ins. Unnecessary tool entitlements violate least-privilege and create avoidable privacy risk, especially here because the skill handles highly sensitive mental-health and bereavement data that could be written to disk or used to create persistent reminders without a clear need.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The skill gives crisis guidance that hard-codes 988, which is appropriate primarily for the US and Canada, without checking the user's location or offering non-US emergency alternatives. In a self-harm context, location-mismatched guidance can delay access to real crisis services and materially increase harm because users may rely on a number that does not work where they are.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal