Girlfriend

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only romantic companion skill with disclosed local memory and no hidden code, network access, or credential use.

Install only if you want a romantic companion roleplay skill that can remember local personal context. Review `~/girlfriend/` periodically, delete anything you do not want reused, and avoid storing secrets, payment details, account access, explicit intimate details, or sensitive third-party information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Natural-Language Policy Violations

Medium

Confidence: 94% confidence
Finding: The file title and skill metadata anchor the interaction in a fixed romantic role ('Girlfriend') before any user opt-in is established. This can steer the agent into relational framing by default, increasing the risk of manipulative anthropomorphic bonding, especially for vulnerable users, even though the repair guidance itself is otherwise mild and safety-oriented.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal