ClawHub

Marriage Matching

Security checks across malware telemetry and agentic risk

Overview

The skill appears to perform the advertised marriage-horoscope report workflow, but it sends sensitive details for two people to an external service and exposes generated PDF links without documented privacy or access controls.

Review carefully before using real personal data. Only use it with explicit consent from both people, avoid unnecessary phone or family details where possible, and verify the provider's privacy policy, deletion process, retention period, and download-link protections before installing or running it.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill requests and transmits highly sensitive personal data for two individuals, including full names, parents' names, mobile numbers, birth date, birth time, and birthplace, without any privacy notice, consent guidance, retention policy, or handling restrictions. This is dangerous because the dataset is sufficient for profiling, identity correlation, and exposure of intimate personal attributes, especially when sent to a third-party service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The response returns direct downloadable PDF URLs containing horoscope and marriage-matching reports, but the documentation does not warn that these URLs may expose highly sensitive generated artifacts if shared, logged, or guessed. Because the reports likely contain personal and astrological profiling data for both parties, undocumented public-style download links materially increase confidentiality risk.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal