ClawHub

Date.skill

Security checks across malware telemetry and agentic risk

Overview

This is a local dating-memory skill with sensitive plain-text notes, but its behavior is disclosed, purpose-aligned, and not hidden or executable.

Install only if you are comfortable keeping local plain-text notes about people you date. Record only information shared appropriately, avoid unnecessary sensitive details, protect the device or account where the files live, and delete profiles you no longer need.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The skill states Reflection Mode will present observations neutrally and not tell the user what to do, but the example adds directional interpretation such as a 'positive trajectory' and recommends a next step. In a dating context, this can nudge emotionally significant decisions and blur the boundary between memory aid and advice, increasing the risk of manipulative or overreaching behavior.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The README encourages collecting and storing highly sensitive personal data about romantic partners, including health information such as allergies and relationship-pattern notes, but provides no meaningful guidance about consent, retention limits, access control, encryption, or safe handling. In a dating-context skill, this increases privacy and misuse risk because the stored data is intimate, potentially identifying, and could harm the subject if accessed by others or retained without their knowledge.

Vague Triggers

Medium
Confidence
83% confidence
Finding
Broad triggers like 'gift ideas,' 'date ideas,' or 'how's it going with [name]?' can activate the skill in situations where the user may not intend to access or process sensitive relationship data. Because the stored content includes intimate preferences, family details, and behavioral patterns, accidental invocation could expose or act on sensitive data at the wrong time or in the wrong context.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill stores highly sensitive relationship information, including allergies, family names, emotional patterns, deal-breakers, and important dates, in human-readable Markdown and JSONL on disk. Although it says data is local, it does not clearly warn users that plain-text local files are easily accessible to other local users, malware, backups, and device compromise, making exposure of intimate personal data more likely.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
This template encourages persistent collection of highly sensitive personal data about a romantic partner, including allergies, birthday, deal-breakers, family details, conflict style, and red/yellow/green flags, without active-use privacy safeguards, minimization guidance, consent language, or storage protections. In the context of a 'self-learning' dating memory tool, this creates a meaningful risk of surveillance, misuse, coercive control, stalking, or harmful disclosure if the notes are accessed by others or retained after the relationship changes.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal