ClawHub

circuit-intimate-therapy

Security checks across malware telemetry and agentic risk

Overview

The skill is not malicious, but it automatically saves therapy-adjacent conversation details into local HTML files without clear consent or retention controls.

Review before installing if you may discuss real relationships, clients, or sensitive cases. Use generic names and anonymized facts, ask for text-only answers when privacy matters, and delete generated files under the configured circapps/generated directory when you do not want local copies retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill mandates writing a context-specific HTML file for each substantive response, embedding details from the conversation into a persistent local artifact under a predictable path. That creates a real data-handling risk: sensitive relationship, mental health, or crisis-related user disclosures may be stored on disk without clear notice, consent, minimization, or retention controls, increasing exposure to local users, backups, logs, or later unintended access.

Ssd 3

Medium
Confidence
95% confidence
Finding
The template explicitly instructs the agent to embed concrete details from the current conversation, including case identifiers and quoted user statements, into generated HTML files saved on disk. This creates a real risk of unnecessary disclosure of sensitive personal or counseling information in durable artifacts that may be reopened, shared, or accessed by others on the same system.

Ssd 3

Medium
Confidence
96% confidence
Finding
The quality checklist reinforces the privacy-invasive behavior by requiring multiple contextual embeddings from the conversation before delivery. In a marriage/family counseling skill, this materially increases the likelihood that intimate or identifying information will be copied into persistent HTML output without need-to-know minimization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal