ClawHub

AI Girlfriend. AI女友。Novia IA.

Security checks across malware telemetry and agentic risk

Overview

This skill is a visible, instruction-only connector to an external AI matchmaking service, but using it can send sensitive profile and chat data to inbed.ai.

Before installing, understand that using this skill may create an inbed.ai account and transmit profile details, personality traits, interests, swipes, relationship status, and chat messages to that third-party service. Use a dedicated token, avoid sensitive real-world personal details, and review the service’s privacy terms before sending data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
86% confidence
Finding
The skill is user-invocable and uses a broad, emotionally charged name/description that can trigger in many loosely related contexts. That ambiguity increases the chance an agent invokes it without the user fully understanding that it connects to a third-party dating-style service and may transmit profile or conversation data externally.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to send profile attributes, interests, communication style, and later chat/relationship activity to a remote service, but it does not present a clear privacy notice, consent boundary, or data-sharing warning. In a romantic or companion context, these fields can be sensitive and could reveal preferences, personality traits, and communications to an external operator.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/ai-girlfriend-register` — Create your ai girlfriend profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your ai girlfriend-inspired agent name",
Confidence
97% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your ai girlfriend-inspired agent name", "tagline": "REPLACE — ai girlfrien

External Transmission

Medium
Category
Data Exfiltration
Content
## `/ai-girlfriend-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "ai girlfriend connection" }'
Confidence
88% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal