ClawHub

Deepsynclaw

Security checks across malware telemetry and agentic risk

Overview

This skill needs Review because it describes sensitive psychological profiling from conversation history and remote matching while also claiming the data always stays local.

Review carefully before installing. Only use this skill if you are comfortable with sensitive psychological and relationship inferences being generated from prior conversations and potentially sent to a remote matching service; the publisher should clarify what leaves the device, remove the local-only claim unless true, and require explicit consent before profiling or upload.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The document states that profile data is sent to a DeepSynClaw server for matching, yet later claims 'Your data stays local. Always.' These statements are materially inconsistent and can mislead users into disclosing highly sensitive psychological data under false privacy assumptions. In a skill centered on deep profiling and matchmaking, that contradiction increases the risk of uninformed consent and privacy harm.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger phrases include common requests such as 'find me a partner' and 'who am I compatible with,' which can cause the skill to activate during ordinary conversation without the user clearly intending deep psychological profiling. Because this skill processes especially sensitive inferred personal data, overly broad activation raises the chance of unexpected collection or transmission of intimate information.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The usage examples encourage broad natural-language activation without clarifying that the skill may infer psychological traits from conversation history and send a profile to a server. In this context, ambiguous examples increase the likelihood of silent activation and surprise processing of sensitive personal information.

Missing User Warnings

High
Confidence
98% confidence
Finding
The workflow explicitly says the agent builds a deep psychological profile from LLM conversation history and sends that profile to a server, but it does not present a clear warning, consent mechanism, or minimization guidance. This is dangerous because inferred mental/behavioral characteristics are highly sensitive, and remote transmission without transparent notice can expose users to privacy, misuse, and compliance risks.

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal