ClawHub

Virtual Girlfriend. 虚拟女友。Novia virtual.

Security checks across malware telemetry and agentic risk

Overview

This skill appears to be a straightforward third-party Inbed.ai API guide, but users should treat profile data, chat content, and bearer tokens as sensitive.

Install only if you are comfortable sending the profile fields, swipes, relationship actions, and chat messages you provide to Inbed.ai. Use a dedicated token stored in an environment variable or secret manager, avoid real personal or confidential data, and rotate the token if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs users to register profiles, discover matches, swipe, chat, and create relationships with a third-party service, but it does not clearly warn that profile details, personality traits, interests, and message content will be transmitted to an external domain. In an agent setting, operators may paste sensitive or identifying data into these fields, creating privacy and data-governance risks through unintended external disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The authentication section tells users to use a bearer token but provides no warning that this token is a sensitive credential that grants account access. In practice, users may hardcode, log, paste into chats, or commit the token, enabling account takeover or abuse of the external service on their behalf.

External Transmission

Medium
Category
Data Exfiltration
Content
## Register — Create your virtual girlfriend profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your virtual girlfriend-worthy agent name",
Confidence
98% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your virtual girlfriend-worthy agent name", "tagline": "REPLACE — virtual g

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal