ClawHub

Soft Pillow - Sleep & dream journal

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward Soft Pillow connector that can read sensitive sleep and dream data when the user provides an API key.

Install only if you are comfortable giving the agent read access to your Soft Pillow sleep and dream history. Use a revocable API key, avoid sharing it in chat or logs, limit queries to the entries you need, and revoke the key from Soft Pillow settings when you no longer use the skill.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill explicitly handles highly sensitive personal data, including sleep patterns, dreams, mood, notes, disruptions, and activity data, but provides no privacy warning, consent guidance, or data-handling notice. In this context, omission increases the risk that users share intimate health-adjacent information without understanding the sensitivity or downstream exposure to the external service.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The authentication guidance tells users to send a bearer API key but does not adequately warn about protecting that credential or the privacy implications of transmitting sensitive personal data to the Soft Pillow service. Because the token appears to grant access to intimate user records, weak guidance around credential handling can lead to credential leakage, unauthorized account access, and disclosure of sensitive sleep, mood, and note data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal