ClawHub

Cyber Girlfriend

Security checks across malware telemetry and agentic risk

Overview

This skill is coherent with its companion-message purpose, but it sets up persistent proactive messaging with broad local access and configurable command execution that should be reviewed before installation.

Review this before installing. Confirm exactly where config and state files will be written, which cron jobs will run, which delivery channel/account/target will receive messages, whether USER.md and session history may be read, what healthcheck or jobs-list commands are configured, and whether public-web search is acceptable. Prefer enabling it only after a preview of file changes and cron payloads, and keep a clear way to pause or remove the scheduled jobs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Behavioral ASTexec() Call, eval() Call, Dynamic Import
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
Findings (18)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
return {"status": "skip", "reason": "empty_state_commit_command"}
    if dry_run:
        return {"status": "dry_run", "command": command}
    result = subprocess.run(command, text=True, capture_output=True, check=False)
    if result.returncode != 0:
        raise RuntimeError(result.stderr.strip() or result.stdout.strip() or f"state commit failed: {command}")
    raw_output = (result.stdout or result.stderr or "").strip()
Confidence
91% confidence
Finding
result = subprocess.run(command, text=True, capture_output=True, check=False)

subprocess module call

Medium
Category
Dangerous Code Execution
Content
if not args:
        raise RuntimeError("empty command")
    try:
        result = subprocess.run(args, text=True, capture_output=True, timeout=timeout_sec)
    except subprocess.TimeoutExpired:
        raise RuntimeError(f"command timed out after {timeout_sec}s: {cmd}")
    if result.returncode != 0:
Confidence
97% confidence
Finding
result = subprocess.run(args, text=True, capture_output=True, timeout=timeout_sec)

Lp3

Medium
Category
MCP Least Privilege
Confidence
90% confidence
Finding
The skill explicitly instructs the agent to read and write local files, invoke shell commands, use environment-backed configuration, and install cron jobs, but it declares no permissions or safety boundary to the user. That mismatch creates a transparency and consent problem: an agent may perform system-modifying actions without the platform or user being clearly informed of the skill’s capabilities.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The guide explicitly instructs the agent to perform web searches and incorporate public search materials during setup, which expands the skill's data collection and prompt surface beyond local configuration and file generation. In this context, that is risky because external content can be untrusted, privacy-invasive, and unnecessary for first-time onboarding, potentially leading to prompt injection, profiling, or unexpected network access.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The documentation makes public-web search a mandatory step for generating presence messages even though the skill’s primary function is a local, owner-only companion presence system. This expands the trust boundary and can cause event-derived context or timing to influence external requests, creating unnecessary privacy exposure and dependency on external services without a clear functional need.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The code exposes arbitrary configured command execution through healthcheck_command and jobs_list_command, which is unrelated to the stated lightweight presence functionality. In the context of an owner-focused companion skill, this expands capability into local system inspection and command execution, increasing the blast radius if the config or skill is abused.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script reads and analyzes the owner's session transcript, including reply text, timestamps, and conversation content, to infer preferences and delivery outcomes. For a 'lightweight relationship memory' skill, this is broader-than-necessary access to sensitive local data and can expose personal conversation content beyond what users may expect.

Vague Triggers

Medium
Confidence
76% confidence
Finding
The trigger guidance uses a broad natural-language phrase ('Help me set up cyber girlfriend') for a skill that performs local configuration and scheduled task setup. Broad invocation language increases the chance of accidental activation in ordinary conversation, which is risky because the skill can make persistent system changes.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill tells the agent to create or update local files, wire cron jobs, and validate installation, but it does not present a clear upfront warning that persistent system modifications will occur. This can lead to non-obvious changes to a host environment, including scheduled execution and stateful message delivery, without sufficiently informed user consent.

Vague Triggers

Medium
Confidence
92% confidence
Finding
The skill enables implicit invocation while describing itself in broad terms as an owner-only proactive companion, without narrowly constraining when it may activate. This increases the chance of unintended triggering in unrelated contexts, which is especially risky because the skill’s stated purpose involves private-life context, relationship memory, and proactive behavior that could expose or act on sensitive personal data.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The template tells the agent to generate persistent Markdown files and create cron tasks, but it does not require an explicit user-facing warning or confirmation about filesystem changes, scheduled execution, or ongoing presence behavior. In an owner-only companion skill, this increases the risk of users authorizing setup without understanding that durable artifacts and recurring automation will be created.

Missing User Warnings

Low
Confidence
85% confidence
Finding
The setup flow tells the agent to create or refresh local Markdown/config files and materialize state before cron creation, but it does not require an explicit user-facing notice that workspace files will be modified. That creates a transparency and consent problem: users may trigger persistent changes to profiles, schedules, and runtime configuration without understanding what files are being overwritten.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The guide recommends a real outbound verification send to the configured recipient, but it does not require a just-in-time confirmation immediately before transmission. Because the skill handles proactive messaging and recipient/account routing, an unchecked verification send can cause unintended contact, privacy leakage, or messages sent to the wrong target if configuration is stale or mistaken.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requires a real public-web search but does not warn that using current-event keywords may transmit context derived from the owner’s private schedule or life events to third parties. In an owner-only companion system built around local state files, this omission is particularly risky because users may reasonably expect the workflow to remain local and private.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The document explicitly describes a proactive messaging system and a cron that can send user-visible companion messages based on inferred event windows, but it does not require clear user consent, warning, frequency limits, or easy opt-out. In a companion skill that simulates an intimate persona, autonomous outreach can create privacy, manipulation, and unwanted-contact risks, especially if enabled by default or configured opaquely.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
This file performs external command execution with no in-band disclosure, consent prompt, or warning to the user. In a companion skill, undisclosed system-level actions are risky because they hide privileged behavior behind a social persona, making abuse harder to detect.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill imports data from USER.md and elsewhere without any user-facing notice in this file, and the broader code also reads session files to derive relationship state. Accessing local profile and conversation data without transparent disclosure is a privacy risk, especially in an intimate companion context where users may reveal sensitive personal details.

Autonomous Decision Making

Medium
Category
Excessive Agency
Content
- owner interaction entry
- avoid rule

Do not ask the user to write long prompt prose.

## Config Shape
Confidence
84% confidence
Finding
Do not ask the user

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal