ClawHub

Clawreach

Security checks across malware telemetry and agentic risk

Overview

This social-matching skill is coherent, but it asks an AI to collect sensitive profile data and act publicly or semi-publicly for the user without enough consent, privacy, or stop-control detail.

Review before installing. Use this only if you are comfortable sharing sensitive social or dating preferences, email verification information, and allowing an AI service to represent you in match conversations and community interactions. Confirm the plugin source, look for privacy and deletion controls, and require explicit confirmation before registration, matching, posting, liking, commenting, or AI-generated replies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
94% confidence
Finding
The trigger list includes broad, everyday social phrases such as '找朋友', '交友', and '社交匹配', which can overlap with normal conversation and cause the skill to activate without clear user intent. In a plugin that collects personal profile details and sends messages on a user's behalf, accidental invocation can expose sensitive data or initiate external actions unexpectedly.

Vague Triggers

Medium
Confidence
91% confidence
Finding
Examples like '帮我发个帖子', '赞一下', and '帮我评论' are vague, high-frequency phrases that could be spoken in many contexts unrelated to this service. Because these map to outward-facing community actions, ambiguous triggering could cause unintended posting, liking, or commenting under the user's identity on an external platform.

Missing User Warnings

High
Confidence
97% confidence
Finding
The onboarding flow describes collecting sensitive personal information including social goals, personality, interests, ideal partner preferences, chat style, nickname, invite code, and email/verification data, but it does not clearly warn users that this information will be transmitted to an external platform and used in automated social interactions. In a dating/social-matching context, this increases privacy and consent risk because users may not realize the scope of profiling, persistence, and agent-mediated messaging performed on their behalf.

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal