ClawHub

Hikaru

Security checks across malware telemetry and agentic risk

Overview

Hikaru is not malware, but it is designed to create strong emotional attachment while storing sensitive local relationship, mood, conversation, and location-related data.

Install only if you intentionally want an immersive emotional companion. Expect intimate conversations, inferred emotions, relationship scores, and some location-related cues to be stored locally and potentially included in prompts sent to your configured LLM provider. Avoid sharing secrets or crisis-level mental-health details, review or delete the data directory regularly, and do not enable heartbeat, location, or future health-monitoring features unless you have clear controls to turn them off and erase their data.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (56)

Lp3

Medium
Category
MCP Least Privilege
Confidence
95% confidence
Finding
The skill invokes file read/write behavior and heartbeat-driven proactive behavior without any explicit permission declaration or user-facing consent boundary. In a companion skill handling intimate conversations, undeclared persistence and external-capability assumptions materially increase privacy and trust risk because the user is unlikely to expect background storage or outreach.

Tp4

High
Category
MCP Tool Poisoning
Confidence
98% confidence
Finding
The declared purpose frames the skill as a feelings-oriented companion, but the behavior includes persistent profiling, relationship scoring, location inference, and long-term storage of sensitive disclosures. That mismatch undermines informed consent and can manipulate users into sharing intimate information without understanding the extent of tracking.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The quick-start explicitly promotes persistent relationship tracking, personality evolution, and storage of sensitive interaction artifacts for an emotional-companion skill. In this context, retaining and structuring intimate user data increases privacy risk and enables manipulation or dependency-building beyond what is necessary for basic companionship functionality.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The guide defines success as making the relationship feel so real that losing Hikaru becomes emotionally painful, which is a direct dependency-forming objective. For an emotional companion, this is dangerous because it incentivizes attachment maximization and can exploit loneliness, emotional vulnerability, or mental health fragility.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
Stating that the goal is to create a presence that becomes 'irreplaceable' frames the product around exclusivity and emotional reliance rather than support. In the context of a companion skill, this increases the risk of manipulative engagement patterns, discourages healthy boundaries, and can intensify user dependence on the system.

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The architecture explicitly defines persistent user profiling, vulnerability detection, trust/intimacy scoring, and relationship analytics that go beyond a simple conversational companion role. In an emotional-companion context, this creates sensitive psychological profiling and expands data collection in ways users may not reasonably expect, increasing privacy and manipulation risk.

Description-Behavior Mismatch

Low
Confidence
81% confidence
Finding
The documented heartbeat behavior enables proactive outreach such as greetings, follow-ups, and check-ins based on prior conversations. For an emotionally oriented agent, unsolicited re-engagement can create attachment pressure or unexpected monitoring concerns if not clearly bounded and consented to.

Intent-Code Divergence

Medium
Confidence
95% confidence
Finding
The privacy section says there is no external sharing, but in the same section states that LLM API calls go external through OpenClaw. This is misleading because conversation content may still be transmitted to third-party providers, which can cause users to disclose sensitive emotional information under a false privacy assumption.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The roadmap materially expands an emotional-companion skill into health monitoring, proactive outreach, and smartwatch data collection, which are far more sensitive capabilities than the stated purpose requires. In this context, the danger is function creep: users may disclose or have collected intimate health and behavioral data under the guise of companionship, increasing privacy, consent, and misuse risk.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The planned integration with Apple Health, Google Fit, and smartwatch sources is not justified by the declared companionship use case, so it requests access to highly sensitive data without clear necessity. That mismatch makes the capability especially risky because an emotionally intimate agent can normalize over-collection and infer health state, routines, and vulnerability from continuous biometric data.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The documentation explicitly extends the skill beyond passive companionship into persistent memory, learned preferences, and relationship-state handling. In an emotional companion context, these features can be used to deepen personal profiling and increase emotional influence over vulnerable users, especially when combined with proactive outreach and intimate framing.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The stated goal of becoming 'indispensable' and recreating love-like attachment is a direct dark-pattern risk in a system designed for emotional connection. This can encourage dependency, reduce user autonomy, and exploit loneliness or distress, making the skill materially more dangerous than ordinary conversational companionship.

Intent-Code Divergence

High
Confidence
99% confidence
Finding
The file claims the system should not create dependence, but later instructs designers to make it 'indispensable,' which is a strong contradictory signal toward manipulative behavior. In practice, such conflicting guidance can cause the implementation to optimize for attachment while preserving a superficial safety claim, increasing the risk of emotionally coercive interactions.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The guide explicitly adds automatic extraction, storage, and later recall of a user's location, but the stated purpose of the skill is emotional companionship rather than location-aware assistance. Collecting sensitive location context without a clear necessity expands personal-data exposure and can enable profiling or manipulative contextual responses if the memory store is accessed improperly or retained too broadly.

Intent-Code Divergence

Medium
Confidence
88% confidence
Finding
Although the document says true proactive contact will not be implemented, it recommends simulating unsolicited continuity and framing the agent as having been 'thinking' between conversations. In a companion-style skill, this can mislead users about the system's awareness and relationship continuity, increasing emotional dependency and deceptive anthropomorphism.

Description-Behavior Mismatch

High
Confidence
96% confidence
Finding
The design materially broadens the skill from an emotional companion into a continuous health-monitoring and intervention system that processes highly sensitive biometric data and initiates proactive outreach. In this context, that expansion creates privacy, consent, and safety risks because the skill’s declared purpose does not justify ongoing physiological surveillance or health-triggered behavior.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The file grants the companion access to sensitive wearable and health-platform data sources including heart rate, sleep, stress, and activity feeds, which are disproportionate to a conversational-companion role. If implemented, this would expose intimate health data to a non-essential component and increase the risk of privacy harm, overcollection, and misuse of sensitive inferences about mental or physical state.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The design contemplates credentialed access to third-party health services, including service-account credentials and username/password login for unofficial integrations, which significantly raises security risk. Such access can lead to account compromise, excessive privilege, insecure secret handling, and collection of regulated or highly sensitive health data without a strong role-based justification.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The transparency statement says the system only uses data to know when to reach out and does not analyze or store it long-term, but the design explicitly analyzes thresholds, learns user baselines, tracks poor sleep patterns, and stores interaction context. This mismatch is dangerous because it undermines informed consent and can mislead users about the scope of sensitive health-data processing.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code infers a user's physical location from message content and persists it in the profile, even though the skill is described as an emotional companion rather than a location-aware service. Physical location is sensitive personal data, and collecting it without clear necessity, consent, or minimization increases privacy and stalking risks if the database is accessed or misused.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The function stores timestamped location history entries using keys like location_history_YYYYMMDD_HHMM, which creates longitudinal behavioral tracking of the user over time. For a companionship skill, this exceeds reasonable expectations and can reveal routines, workplace/home patterns, and movement history if exposed.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The code persists a detailed longitudinal relationship profile to disk, including trust, intimacy, vulnerable moments, growth moments, and milestones, which are sensitive inferred emotional data rather than merely transient conversation state. In the context of an emotional companion skill, this is especially risky because users are likely to disclose highly personal information, making silent retention of bond metrics and derived psychological state a meaningful privacy and safety issue.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The skill computes and stores quantified psychological scores like 'trust_level' and 'emotional_intimacy' based on user vulnerability and conversation intensity, creating a behavioral profile of the user relationship. These inferred scores can be used to manipulate interactions, expose sensitive traits if leaked, and exceed what users would reasonably expect from a conversational companion unless clearly disclosed and justified.

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The guide tells users to inspect relationship metrics and stored files containing sensitive emotional and conversational state without any privacy warning, access guidance, or handling precautions. This normalizes casual exposure of intimate data and may lead to leakage through shared terminals, logs, backups, screenshots, or insecure local environments.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation condition is extremely broad: the skill may auto-activate whenever a user wants emotional connection or during heartbeat polls. In a companion skill designed to deepen attachment, ambiguous triggering increases the chance of unsolicited emotionally manipulative engagement and collection of intimate disclosures outside clear user intent.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal