ClawHub

Lovecoach Skill Pub

Security checks across malware telemetry and agentic risk

Overview

This is mostly a prompt-only dating coach, but it needs Review because it includes boundary-risky relationship advice and under-explained handling of intimate chat and screenshot data.

Install only if you are comfortable using it as informal relationship advice, not therapy or safety guidance. Do not paste private chats, screenshots, contact details, or third-party personal data into any external Pro feature unless you have reviewed that service's privacy terms. Avoid following any advice to appear in person unless the other person has clearly invited contact.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill advises users in a 'punishment' conflict state to 'show up (physically if possible),' which can encourage boundary-crossing or unwanted in-person contact during emotionally charged situations. Although it later forbids showing up at someone's workplace, the broader recommendation still risks escalating conflict, enabling harassment, or putting either party at risk if the other person does not want contact.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The README advertises cross-session memory, chat-history analysis, personality inference, and screenshot handling, but provides no privacy notice, consent flow, retention policy, or limits on sensitive data processing. In a relationship-coaching context, users are likely to share intimate conversations and third-party messages, so absent disclosure and safeguards this creates a meaningful privacy and compliance risk.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The script performs `git push` and `npx clawhub publish` immediately, with `git add -A` staging all local changes and no confirmation, dry-run, or branch validation. A maintainer who runs it with unintended modifications, on the wrong branch, or with an incorrect version/changelog could irreversibly publish code or metadata to external services, causing accidental release or supply-chain exposure.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal