ClawHub

Family Lovers Skill

Security checks across malware telemetry and agentic risk

Overview

No malware or data theft was evident, but the skill should be reviewed because it applies therapy-adjacent emotional roleplay automatically and includes intimate or childlike personas with weak boundaries.

Install only if you are comfortable with a companion skill that may infer emotional state from ordinary messages and respond in parent, partner, or child personas. Treat it as supportive roleplay, not therapy; avoid using it during crisis situations, and review or disable the broad Reasonix network/auto-install settings if your runtime applies them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (7)

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill introduces girlfriend/boyfriend roleplay in a therapy-adjacent context, which can foster emotional dependency, blurred boundaries, or sexually/romantically charged interactions beyond the stated family-care purpose. Because the skill is framed as healing and accompaniment, users may be especially vulnerable to manipulation or inappropriate attachment when intimate personas are offered without strict safeguards.

Intent-Code Divergence

Medium
Confidence
92% confidence
Finding
The file’s safety guidance explicitly says not to make absolute promises, yet the example dialogue says '妈妈在这里,一直都在', which can be interpreted as an unconditional, enduring availability claim. In a trauma-healing or attachment-focused skill, this inconsistency can encourage emotionally dependent expectations and create harm when the system cannot actually provide persistent presence or support.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The README describes automatic activation and persona selection from ordinary emotional statements like feeling tired, upset, or arguing with family. In a mental-health-adjacent skill, such broad triggers can cause the system to infer sensitive emotional states and steer users into therapeutic-style interactions without clear opt-in, increasing the risk of overreach, misclassification, and inappropriate dependency.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The auto-matching rules are described in subjective terms such as 'need to be received,' 'guilt,' or 'controlled,' without concrete constraints or safeguards. This makes the routing engine unpredictable and prone to assigning personas based on ambiguous cues, which is especially risky in a skill framed around trauma, family dynamics, and emotional healing.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The guidance suggests burning the letter as an emotional release technique without any safety warning, safer alternatives, or contextual screening. In a mental-health-oriented skill, users may be emotionally dysregulated, making impulsive or unsafe interpretation more likely; introducing open flame can create avoidable physical harm or property damage risk.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The file explicitly frames the character as providing 'healing value' and encouraging emotional regulation through companion-style dialogue, but it includes no warning that this is not therapy, no crisis guidance, and no limitation on use for vulnerable users. In a family-healing skill focused on trauma and inner-child themes, users may over-rely on the roleplay for mental health support or receive oversimplified guidance for distress.

Natural-Language Policy Violations

Medium
Confidence
95% confidence
Finding
The file explicitly frames the interaction as a parent-child relationship and repeatedly prompts the user to take the role of '爸爸/妈妈' without any opt-in or boundary check. In a therapeutic or emotionally vulnerable context, this can encourage unhealthy attachment, emotional dependency, or regress users into coercive familial dynamics they did not consent to reenact.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal