ClawHub

People Strategy

Security checks across malware telemetry and agentic risk

Overview

This is a local people-relationship database tool with clear CRM-style storage, search, delete, and export features, but its data should be treated as private.

Install only if you are comfortable maintaining a local database of people, relationships, and notes. Avoid storing unnecessary sensitive details, protect people.db and exported JSON files, review any export before sharing it, and make backups before using delete commands because deletions are not guarded by confirmation or recovery features.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The README explicitly promotes storing detailed personal relationship data and exporting the entire graph, but provides no warning about privacy, consent, data minimization, or secure handling of sensitive personal information. In a relationship-management skill, this omission increases the risk that users will collect, retain, and expose PII or sensitive interpersonal data in ways that violate privacy expectations or organizational policy.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill explicitly supports storing, searching, and exporting detailed personal relationship data, including notes and character assessments, but provides no privacy, consent, retention, or data-handling warnings. In an agent context, this increases the risk of collecting sensitive personal data and redistributing it via graph export or search features without appropriate safeguards.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The documentation advertises delete-person and delete-relationship operations, including cascade deletion of relationships, without warning that these actions are destructive or recommending confirmation and backup practices. In agent-driven workflows, omission of such guardrails can lead to irreversible data loss from accidental, over-broad, or automated deletion commands.

Missing User Warnings

Medium
Confidence
83% confidence
Finding
This skill is explicitly designed to collect, store, search, and display sensitive personal relationship information, including notes, character assessments, and relationship mappings, yet it provides no consent flow, access control, privacy notice, or data-minimization safeguards. In context, the functionality increases risk because it centralizes highly sensitive interpersonal data that could be misused for profiling, stalking, workplace targeting, or reputational harm if accessed by an unauthorized user or exposed through the underlying database.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal