ClawHub

Relationship Buddy

Security checks across malware telemetry and agentic risk

Overview

Relationship Buddy is a coherent personal CRM, but it needs review because it can persist sensitive relationship data too broadly and its setup can overwrite local data.

Install only if you are comfortable keeping sensitive notes about other people in agent-accessible local files. Back up any existing Relationship Buddy data before running setup, prefer explicit confirmation before saving casual details, and avoid the dashboard kit unless you understand where the database lives, who can access it, and how data can be deleted.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (7)

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages users to store sensitive third-party personal information such as birthdays, family details, surgeries, and preferences, but it does not clearly warn about consent, minimization, retention, or the risks of entering other people's PII into an AI-managed system. The claims of being 'secure,' 'audited,' and having 'no data exfiltration' may further lower user caution, increasing the chance that users overshare sensitive data without understanding privacy implications.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The setup prompt directs an agent to create directories, initialize multiple JSON files, and change permissions, but it does not clearly warn the user up front that local state will be created and potentially overwrite existing skill data. In an agent-install context, silent filesystem changes increase the risk of unintended persistence or data loss, even though the actions themselves are not inherently malicious.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The activation guidance is broad enough to trigger on many ordinary conversations about family, friends, gifts, or check-ins, which can cause the skill to activate and start handling highly sensitive relationship data without clear user intent. In a personal CRM that stores intimate PII, accidental activation increases the risk of over-collection, unintended persistence, and privacy-invasive responses.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The spec explicitly models and stores highly sensitive interpersonal data such as preferences, family relationships, notes, life events, gifts, reminders, and imported bulk data, but it provides no privacy UX, consent guidance, retention controls, or data-classification warnings. Even with database RLS, users may be encouraged to centralize intimate third-party information without safeguards around minimization, sharing risk, breach impact, or secure handling of uploaded/imported content.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The example depicts collection and storage of sensitive personal data about a third party, including family details and reminders, without any visible consent, retention, or privacy notice to the user. In a relationship-management skill, this normalizes persistent storage of personal data and inferred behavioral tracking in a way that could lead to privacy harm, overcollection, or regulatory issues if implemented as shown.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The example explicitly describes storing and updating personal data such as a contact's birthday, address, preferences, and gift history, but provides no notice, consent flow, retention limits, or privacy controls. Even though this is only example content, it normalizes silent persistence of sensitive relationship data and could lead implementers to build similar behavior without adequate transparency or safeguards.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The example explicitly describes accessing sensitive relationship data from contacts, interactions, and life-event records to generate personalized outreach recommendations, but it provides no user-facing notice, consent flow, or data-use transparency. This creates a real privacy risk because the skill normalizes processing personal data about both the user and third parties in a way that could surprise users, expose intimate context, or violate reasonable expectations around consent and disclosure.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal