ClawHub

Companion

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only companion skill that stores local personal notes for continuity, with privacy caveats but no evidence of hidden execution, exfiltration, or deception.

Install only if you are comfortable with the assistant keeping local notes in ~/companion/ about personal details such as relationships, routines, mood, and health context. Review or delete those files periodically, avoid storing details you do not want retained, and do not rely on this skill for medical, therapeutic, or emergency help.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (6)

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The guide instructs persistent storage of a fairly detailed personal dossier, including living situation, health notes, family, routines, and relationship history, for a non-professional companion use case. Even if framed as supportive memory, centralizing this data creates privacy and misuse risk well beyond what is necessary for casual conversation continuity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The documented memory structure supports sensitive profiling by recording health status, family/caregiver relationships, emotional state, routines, and potentially vulnerable circumstances. In the context of a companionship skill, this breadth of profiling is not clearly justified and could expose users—especially lonely or elderly users—to privacy harm, manipulation, or unauthorized secondary use.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The section encouraging learning from 'patterns' and 'what they don't say' promotes inference of user traits and sensitivities beyond explicit disclosure. This is dangerous because it enables covert profiling of emotional state, routines, and avoided topics without transparency or consent, increasing the chance of manipulation or privacy-invasive personalization.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs the agent to automatically read persistent user data from ~/companion/ on activation, including sensitive personal context such as routines, history, and health-related concerns, without any visible consent flow or privacy notice. In a companionship context, this is more sensitive than usual because users may disclose loneliness, illness, and other intimate details they may not expect to be silently reloaded every session.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The file describes long-term storage of sensitive personal and conversational data but provides no meaningful user-facing warning, consent flow, or explanation of persistence. That is especially risky here because the skill positions itself as a trusted 'real companion,' which may encourage vulnerable users to share intimate details without understanding they are being retained and structured.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
The crisis guidance lists example emergency numbers and says crisis lines vary by country, but it does not explicitly require the agent to determine the user's location before giving emergency-contact advice. In a crisis-support context, providing the wrong emergency number or non-local resource can delay urgent help, making this more dangerous than it would be in a general informational skill.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal