Cuddle Your Bot

Security checks across malware telemetry and agentic risk

Overview

This roleplay skill only asks the agent to keep a small fictional progress file and shows no executable, credential, network, or destructive behavior.

Install this only if you want the agent to maintain a local Cuddle roleplay state. Keep `cuddle/state.json` limited to fictional details and avoid storing private, real-world, or sensitive information there.

SkillSpector

By NVIDIA

Vulnerability Patterns

Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill explicitly instructs the agent to persist and update `cuddle/state.json` whenever the user 'sends you to Cuddle', but it does not require clear user notice, consent, or bounds on what may be written. This creates an unprompted local state modification behavior that can surprise users, accumulate unintended data, and be abused to cause unauthorized file writes or persistence of interaction-derived content.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal