ClawHub

Social Graph

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed social-memory tool, but it encourages persistent notes about real people without enough privacy, consent, or deletion boundaries.

Install only if you intentionally want a local social-memory system. Use aliases where possible, avoid storing contact details or sensitive personal inferences, get consent where appropriate, review and delete stale entries, and invoke the skill only for explicit relationship-management tasks.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Vague Triggers

Medium
Confidence
85% confidence
Finding
The trigger list includes very broad, everyday phrases like 'sharing', 'who to tell', and 'social awareness', which can cause the skill to activate in many ordinary conversations unrelated to explicit user intent. Over-broad activation increases the chance that the model applies hidden behavioral guidance unexpectedly, including consulting or updating social-memory files in contexts where the user did not ask for that behavior.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The template explicitly instructs users to maintain per-person relationship records including trust levels, sharing rules, discomfort triggers, and contact methods, but provides no privacy, consent, retention, or sensitivity guidance. In a social-agent skill, this creates a structured profiling system for personal data that could enable inappropriate collection, storage, or disclosure of sensitive interpersonal information.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The guidance to 'add them here' and track what has been shared encourages ongoing profiling of new individuals and logging interaction history without any warning about consent, transparency, or privacy risk. Because this skill is specifically designed for social intelligence, the context increases the danger: it normalizes silent accumulation of personal relationship data across many people.

Ssd 3

Medium
Confidence
95% confidence
Finding
The skill explicitly instructs the model to maintain per-person records about trust levels, sensitivities, boundaries, and prior sharing history, then reuse those records in future interactions as ongoing memory. This creates a structured dossiering mechanism about individuals, which can capture sensitive interpersonal information without meaningful consent, increase privacy risk, and enable profiling or differential treatment across conversations.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal