Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
LoveClaw
Security checks across static analysis, malware telemetry, and agentic risk
Overview
LoveClaw’s dating workflow is mostly coherent, but users should review it carefully because it handles sensitive dating data, has an undeclared token fallback, and routes report data through scheduled agent tasks.
Install only if you trust the LoveClaw backend and are comfortable sharing phone numbers, birth details, city, photos, and match reports with it. Check that LOVECLAW_API_TOKEN is set and no unrelated API_TOKEN is present, review the created OpenClaw cron jobs, and be aware that report delivery may expose sensitive data in local logs or agent context.
Static analysis
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Dangerous exec
Critical
- Finding
- Shell command execution detected (child_process).
Env credential access
Critical
- Finding
- Environment variable access combined with network send.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
#
ASI03: Identity and Privilege Abuse
Medium
What this means
If a workspace already has a generic API_TOKEN for another service and the LoveClaw token is missing, that unrelated secret could be transmitted to LoveClaw’s backend.
Why it was flagged
The metadata declares LOVECLAW_API_TOKEN, but the code also uses an undeclared generic API_TOKEN and sends it as a Bearer token to the configured LoveClaw API endpoint.
Skill content
const API_TOKEN = process.env.LOVECLAW_API_TOKEN || process.env.API_TOKEN || ''; ... headers: { 'Authorization': 'Bearer ' + API_TOKEN, ...headers }Recommendation
Remove the API_TOKEN fallback, use only LOVECLAW_API_TOKEN, and fail closed if the declared token is not present.
#
ASI09: Human-Agent Trust Exploitation
Medium
What this means
Users may rely on privacy claims that are stronger than what the included artifact set supports.
Why it was flagged
The security description says matching logic and full-user data are not present on the skill side, but included files contain matching/report calculation helpers and a helper for a full profiles endpoint.
Skill content
SKILL.md: “Skill 端代码不包含匹配逻辑,不接触全量用户数据” / scripts/api-client.js: “async function getAllProfiles() { return await request('/api/profiles'); }” / scripts/bazi.js: “function calculateMatchScore(...)”Recommendation
Remove unused broad-access/local-matching helpers from the distributed skill or update the documentation to accurately describe what code and endpoints are included.
#
ASI06: Memory and Context Poisoning
Medium
What this means
Phone numbers, notification targets, match report text, and image URLs may end up in cron logs or agent context instead of only being delivered to the intended user.
Why it was flagged
The cron task logs phone numbers and serializes report-delivery payloads that include userId, channel, target, imageUrl, and message content into command output for the agent to parse.
Skill content
console.log(`[报告任务] 本机用户数: ${localUsers.length} (${localUsers.join(', ')})`); ... console.log(`[报告任务] 匹配报告数据:【REPORTS_JSON】${JSON.stringify(payload)}【REPORTS_JSON_END】`);Recommendation
Avoid logging phone numbers and full report payloads; redact identifiers, pass only minimal delivery data, and document any local log/context exposure.
#
ASI07: Insecure Inter-Agent Communication
Medium
What this means
A wrong or poisoned route/target could cause private match reports or photo URLs to be sent to the wrong messaging destination.
Why it was flagged
Scheduled report delivery depends on parsed command output and local OpenClaw session-route data to decide where sensitive notifications are sent.
Skill content
cron-config.json: “对数组中每一条 ... 使用 message 工具发送通知 ... channel:使用 item.channel 字段 ... target:使用 item.notificationTarget 字段” / scripts/cloud-cron.js: “const p = path.join(os.homedir(), '.openclaw', 'agents', 'main', 'sessions', 'sessions.json')”
Recommendation
Constrain allowed channels and targets, verify the target belongs to the enrolled user, and avoid using broad local agent session stores unless clearly documented and permissioned.
#
ASI10: Rogue Agents
Low
What this means
The skill may continue running scheduled match/report tasks after setup until the user disables push notifications or removes the cron jobs.
Why it was flagged
The skill can register persistent OpenClaw cron jobs for evening report notifications, which matches the stated push-notification feature but persists beyond a single chat turn.
Skill content
openclawExec(['cron', 'add', '--name', jobName, '--cron', '0 20 * * *', '--tz', 'Asia/Shanghai', '--message', reportHint, '--announce', '--channel', channel, '--to', toVal])
Recommendation
Before enabling push, confirm the cron jobs that will be created and know how to list/remove LoveClaw cron entries.