ClawHub

Synclaw

Security checks across malware telemetry and agentic risk

Overview

SynClaw is an instruction-only matchmaking skill, but it asks an agent to infer a sensitive psychological profile from chat history and send it to a server while also claiming the data stays local.

Review carefully before installing. Use only if you are comfortable with an agent deriving sensitive personality and relationship traits from conversation history, and wait for the publisher to clarify exactly what is uploaded, how consent works, how profiles can be reviewed or deleted, and whether any data truly remains local.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Intent-Code Divergence

High
Confidence
98% confidence
Finding
The document makes two incompatible privacy claims: it states the psychological profile is sent to the SynClaw server for matching, then later says user data stays local. For a skill handling highly sensitive inferred psychological data, this is dangerous because users may consent under false assumptions and disclose intimate information that is actually transmitted off-device.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill describes building a deep psychological profile from conversation history and sending it to a remote server without a prominent privacy warning or informed-consent step. Because this profile is inferred from private chats rather than directly provided fields, it may expose sensitive traits, vulnerabilities, or special-category data the user did not realize would be extracted and shared.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Conflicting privacy messaging obscures whether data remains local or is sent off-device, undermining meaningful consent. In the context of matchmaking based on psychological profiling, that ambiguity materially increases the risk that users share sensitive information without understanding the actual handling of their data.

Ssd 3

Medium
Confidence
94% confidence
Finding
The skill explicitly instructs deriving a deep profile from the user's conversation history and transmitting it to an external matching service. That creates a privacy and surveillance risk because broad conversation history may contain unrelated secrets, third-party data, or highly sensitive inferences that exceed what is necessary for matchmaking.

VirusTotal

54/54 vendors flagged this skill as clean.

View on VirusTotal