ClawHub

相亲照妖镜 Blind Date Mirror

Security checks across malware telemetry and agentic risk

Overview

The skill is advertised as public dating-profile review, but bundled collectors can use the active browser login to gather sensitive account histories such as likes, favorites, follows, ratings, and comments.

Review carefully before installing. Use only with a logged-out or separate browser profile unless you intentionally want your own social-account data accessed, manually approve any dependency download, avoid running the full bundled account collectors for someone else's profile, and delete raw report files when no longer needed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (38)

Lp3

Medium
Category
MCP Least Privilege
Confidence
89% confidence
Finding
The skill directs the agent to execute shell-capable behavior, including cloning a repository, without declaring permissions or constraining when such execution is allowed. Undeclared code execution increases supply-chain and environment-manipulation risk because the agent may fetch and trust remote content unexpectedly during a social-profile analysis task.

Tp4

High
Category
MCP Tool Poisoning
Confidence
91% confidence
Finding
The stated purpose is profile analysis, but the skill also performs dependency discovery, connectivity testing, remote setup, and installation guidance for browser automation infrastructure. This mismatch hides materially different behavior from the user, reducing informed consent and making it easier to smuggle operational or data-collection actions under an innocuous description.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
Automatically cloning a GitHub repository during execution introduces a direct remote code and prompt supply-chain risk. The fetched dependency could change over time, contain unsafe instructions, or expand the skill's capabilities beyond what the user expected from a 'date intel' workflow.

Intent-Code Divergence

Medium
Confidence
87% confidence
Finding
Although framed as merely reading public information, the skill explicitly stores raw third-party profile data and generated reports locally, creating a retained dossier on a person who did not consent. Persistence increases privacy and misuse risk because collected data can be reanalyzed, shared, or exposed later even if the original content changes or is deleted.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
This skill’s stated parent use case is analyzing another person’s public social profile for dating context, but the implementation instead targets the currently logged-in Bilibili account and extracts account-bound data such as favorites and follow relationships. That mismatch is dangerous because it can trick a user into authorizing collection of their own private or semi-private data under a misleading pretext.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill enumerates the logged-in user’s favorites and follow list, which are sensitive behavioral and relationship signals unrelated to the claimed purpose of reviewing a date’s public profile. This creates unnecessary overcollection and can expose personal interests, social graph, and inferred preferences that a user would not reasonably expect to be harvested here.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The documentation explicitly frames the skill as 'not stalking' and limited to public information, yet the code relies on authenticated APIs and logged-in browser state to access account-scoped data. This deceptive framing increases risk because it lowers user suspicion while the workflow actually reaches beyond public data into authenticated personal information.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill is materially misaligned with the parent skill’s stated purpose of examining someone else’s public profile before a date. Instead, it targets the currently logged-in Douban account and automates extraction of a full account-linked history, creating a privacy-invasive capability that can collect much more sensitive data than users may expect.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill instructs in-page authenticated fetches with credentials included, allowing automated enumeration of account-linked content across the user’s history while leveraging active session cookies. In the context of a dating-intel/public-profile tool, this substantially expands access beyond ordinary public viewing and enables covert bulk harvesting of sensitive preference and behavioral data.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The skill explicitly justifies collecting ratings, comments, tags, publication metadata, and status text as inputs for profiling, which turns the tool into a broad surveillance and inference mechanism. Even if some source data is public or semi-public, aggregating complete historical preference and expression data increases sensitivity and risk of misuse far beyond the stated purpose.

Description-Behavior Mismatch

High
Confidence
98% confidence
Finding
The skill is scoped to the currently logged-in Weibo account and explicitly extracts account data from `window.$CONFIG.user`, then navigates to the user's own follows and favorites pages. This materially differs from the stated 'public social media profiles before a date' purpose and enables collection of private, account-bound data that the user may not expect to expose through this skill.

Context-Inappropriate Capability

High
Confidence
99% confidence
Finding
Collecting the logged-in user's favorites goes beyond the advertised use case of reviewing someone's public profile. Favorites can reveal private preferences, interests, politics, relationships, and other sensitive signals, making this an unjustified and privacy-invasive data collection path.

Intent-Code Divergence

Medium
Confidence
93% confidence
Finding
The documentation frames the skill as collecting homepage information, but the workflow also accesses logged-in-only favorites data. This mismatch increases risk because operators may believe the tool is limited to public data when it in fact reaches into more sensitive authenticated content.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The skill materially exceeds the stated 'public social media profile' date-intel purpose by targeting the currently logged-in user's own account and harvesting full favorites and likes history, which are substantially more sensitive than ordinary public profile content. This creates a privacy-invasive collection path for non-public behavioral data and normalizes mass extraction unrelated to the advertised use case.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The XHR interception logic monkey-patches XMLHttpRequest to capture favorites and likes API responses that are only available in the authenticated user's session context. For a skill framed as reading public profiles, intercepting authenticated API traffic is an unjustified escalation that enables bulk extraction of sensitive preference history and increases the chance of misuse or unauthorized disclosure.

Context-Inappropriate Capability

Medium
Confidence
86% confidence
Finding
Opening each note in a new tab and reading structured data from internal page state goes beyond normal human review and enables systematic extraction of full post bodies, tags, and metadata at scale. While this may not bypass authentication on its own, it materially increases surveillance capability and data volume beyond the minimal information needed for a profile summary.

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill metadata includes broad recommendation triggers such as wanting to know what a person is like or doing pre-date research. These cues are common and underspecified, so an agent could recommend or invoke the skill in routine social contexts without clear consent, appropriateness checks, or sensitivity review. In this skill's context, that is more concerning because it profiles third parties and infers personality traits from social media.

Vague Triggers

Medium
Confidence
90% confidence
Finding
The README section on when to recommend uses ambiguous prompts like '想了解某个人' and 'TA 是什么样的人,' which can match many everyday conversations. That increases the chance of unintended activation or recommendation of a surveillance-like profiling tool in situations where the user did not explicitly request social media analysis. Because the skill produces inferred red/green flags and values assessments, accidental use can create privacy and safety harms beyond a normal recommendation error.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The skill is broadly framed to analyze another person's profiles for dating suitability without strong activation boundaries, exclusions, or legitimacy checks. That makes it easy to use for covert profiling, harassment, or screening of third parties beyond the narrow, user-consented scenario the author gestures at.

Vague Triggers

Medium
Confidence
82% confidence
Finding
The generic invitation to submit someone's profile links lowers friction for third-party profiling and does not define when the skill should refuse. In context, this materially increases misuse risk because the rest of the skill is optimized to generate behavioral inferences and 'red flag' judgments from public traces.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill describes deep collection of the logged-in user’s Bilibili data but does not present a clear privacy or data-impact warning before execution. Users may not understand that running it will enumerate sensitive profile details, favorites, and follows from their active account session.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The quick-start command makes execution appear simple and harmless while omitting that it will inspect the active logged-in account and enumerate favorites and follow relationships. This is dangerous because low-friction invocation combined with missing disclosure materially increases the chance of uninformed collection of sensitive account data.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill advertises full collection of the logged-in user’s Douban profile and activity without a clear, prominent privacy warning about the sensitivity and breadth of the data being harvested. Users could reasonably believe they are doing lightweight public-profile analysis, when the actual behavior extracts extensive personal preferences, comments, and activity history from their active account session.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The instructions describe credentialed fetches that rely on the browser’s active cookies, but they do not prominently explain that executing the skill will send authenticated requests to Douban endpoints under the user’s session. This creates a transparency and consent problem because session-bound access materially changes the privacy and security implications of the operation.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The document explicitly profiles a real person's public social media presence to infer personality traits, lifestyle, values, and dating strategy, but the warning only addresses inference accuracy and not the privacy, consent, or manipulation risks to the profiled person. In this skill's context, that omission is material because the entire output is designed to enable interpersonal profiling before a date, which can normalize non-consensual behavioral inference and targeting even when the source data is public.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal