ClawHub

月老 Matchmaker

Security checks across malware telemetry and agentic risk

Overview

This is a real compatibility-report skill, but it asks to collect broad logged-in social-media histories with weak consent, scoping, and privacy safeguards.

Install only if both people clearly agree to the exact platforms and data categories being scanned. Use a separate browser profile, review or pin the ManoBrowser dependency first, avoid analyzing a public profile without that person's permission, collect the smallest useful subset, review the generated data before sharing any report, and delete matchmaker-data after use.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Findings (44)

Lp3

Medium
Category
MCP Least Privilege
Confidence
84% confidence
Finding
The skill instructs the agent to execute shell-capable behavior (`git clone`) while not declaring corresponding permissions. Undeclared code execution capabilities reduce transparency and can lead to unexpected network access, filesystem changes, and unsafe dependency retrieval in environments that rely on manifest permissions for trust decisions.

Tp4

High
Category
MCP Tool Poisoning
Confidence
88% confidence
Finding
The documented behavior goes beyond matchmaking analysis into environment inspection, MCP connectivity validation, and browser-extension setup. This mismatch is dangerous because users may consent to social-data analysis without realizing the skill will probe local configuration and external automation services, expanding the attack surface and trust boundary.

Description-Behavior Mismatch

Medium
Confidence
83% confidence
Finding
The README makes a strong local-only data safety claim while also documenting automatic first-use download of a dependency from GitHub. That creates a supply-chain and data-handling ambiguity: users may reasonably believe nothing external is contacted, but the skill can fetch code at runtime, which expands trust and attack surface.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README says the skill does not touch sensitive privacy data, yet its own described analysis includes values, routines, aesthetics, and social habits derived from social media accounts. Those categories can reveal intimate behavioral patterns and inferred sensitive traits, so the documentation materially understates privacy risk and may prevent informed consent.

Intent-Code Divergence

Medium
Confidence
94% confidence
Finding
The privacy section claims there is no secret scanning of another person, yet the workflow explicitly supports collecting a target's public profile without that person's direct participation. Even if the data is public, combining and profiling it for intimate compatibility analysis creates a meaningful privacy risk and can enable non-consensual surveillance or profiling.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is presented as a two-party voluntary scan, but the instructions also allow one-sided collection of another person's public profile. That discrepancy materially understates the privacy implications and makes it easier for users to employ the skill for profiling someone who has not consented to analysis.

Description-Behavior Mismatch

High
Confidence
94% confidence
Finding
The skill’s declared behavior in this file is materially narrower and different from the parent matchmaker description: it performs unilateral authenticated harvesting of a single logged-in user’s Bilibili data rather than a clearly consented two-party compatibility flow. This kind of capability mismatch is dangerous because it can hide invasive collection behind a more socially acceptable product narrative, reducing user understanding and oversight.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill performs bulk collection of favorites, uploaded videos, and followed accounts from an authenticated session, creating a detailed behavioral and social graph that exceeds what is minimally necessary for most matchmaking use cases. Even without off-platform exfiltration, mass harvesting of sensitive preference and relationship data increases privacy risk, enables profiling, and can be repurposed for surveillance or coercive inference.

Description-Behavior Mismatch

Medium
Confidence
88% confidence
Finding
The skill goes beyond simple catalog collection and explicitly requires harvesting free-text comments, tags, ratings, dates, and status text for downstream personality and behavioral profiling. Free-text content can reveal sensitive opinions, habits, and intimate preferences, making the collection materially more privacy-invasive than a narrow 'profile export' and increasing misuse risk.

Context-Inappropriate Capability

Medium
Confidence
81% confidence
Finding
The guidance to tune delays and use fetch-based pagination specifically to avoid rate limits/anti-scraping controls shows deliberate operationalization of large-scale authenticated extraction rather than a minimal user-mediated export. This weakens platform safeguards and makes the skill more dangerous in the matchmaking context because it normalizes stealthier collection of sensitive account data.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill is designed to harvest extensive data from the currently logged-in Douyin user, including likes, favorites, and the full following list, far beyond what is necessary for a typical matchmaking flow. This creates a data overcollection and purpose-mismatch problem that could expose highly sensitive behavioral and relationship data without clear need or consent.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The file implements a standalone Douyin deep-profile scraper rather than a narrowly bounded matchmaking helper, indicating functionality drift from the parent skill's stated purpose. When a sub-skill is effectively a generic surveillance collector, it increases the chance of misuse for profiling, stalking, or bulk personal-data harvesting.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The script validates a generic MCP/browser-plugin endpoint by calling tools/list, confirming availability of all remotely exposed browser tools rather than a narrowly scoped matchmaking interface. In the context of a skill that processes social media accounts, this broad browser automation/data collection capability increases the risk of overcollection, misuse of account data, and expansion beyond the stated purpose.

Description-Behavior Mismatch

High
Confidence
95% confidence
Finding
The sub-skill’s stated behavior is to collect the current logged-in user’s full Weibo profile, posts, follow list, and favorites, which exceeds the parent skill’s matchmaking framing and is not limited to the minimum data needed for compatibility analysis. This kind of scope mismatch is dangerous because it can cause users to authorize broad harvesting of sensitive social data under a narrower or different pretext.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The skill explicitly navigates to and extracts the user’s favorites, which can reveal intimate preferences, political views, relationships, and other sensitive inferences beyond basic profile matching. Collecting this dataset without a strong necessity and explicit consent creates privacy and misuse risk disproportionate to the stated use case.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill states it collects profile-page data, but then expands scope by opening each note in a new tab and extracting detailed post bodies and tags from page state. This is a data minimization and transparency failure: it gathers substantially more content than a user would reasonably infer from the top-level description, increasing privacy exposure and the amount of sensitive text harvested.

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The skill monkey-patches XMLHttpRequest to intercept authenticated API responses for favorites and likes, allowing bulk capture of behavioral data available only within the logged-in session. In the context of a matchmaking skill, this is over-privileged collection that bypasses normal UI constraints and materially increases the risk of privacy invasion and misuse of session-scoped data.

Context-Inappropriate Capability

High
Confidence
97% confidence
Finding
The skill is designed to collect full favorites and likes histories, which are rich behavioral datasets that can reveal intimate preferences, habits, and relationships. For a compatibility-analysis use case, collecting entire histories is excessive relative to the stated purpose and creates unnecessary exposure of sensitive personal data.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The invocation phrase includes broad natural language such as '帮我们算一卦', which can overlap with casual conversation rather than an unambiguous command to activate a high-privacy workflow. In a skill that scans two people's social accounts, accidental or premature triggering increases the risk of collecting personal data without sufficiently explicit intent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill is framed as playful and low-risk ('like astrology but with data') while omitting a prominent warning that it processes substantial personal and behavioral data from social media. This can normalize a sensitive data collection workflow and reduce user caution at the point of recommendation or adoption.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill encourages collection and cross-analysis of two people's social-media data without a prominent, upfront consent and privacy warning before data collection starts. Because the content is aimed at relationship profiling, missing consent safeguards materially increases the risk of unauthorized collection, interpersonal harm, and invasive inference from aggregated personal data.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill openly describes deep collection of profile and relationship data but does not provide a meaningful privacy disclosure, sensitivity warning, retention statement, or notice of how the data will be used. Users may not realize that favorites, social connections, and account metadata together reveal sensitive interests and associations.

Missing User Warnings

High
Confidence
93% confidence
Finding
The skill advertises full collection of a logged-in user's profile, movie/book history, and statuses without an upfront privacy warning commensurate with the sensitivity of this data. Because the data is used for matchmaking-style profiling, users may not understand that intimate preferences, behavioral history, and free-text content will be extracted and analyzed, creating a significant informed-consent gap.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill relies on authenticated fetch requests with credentials included across Douban subdomains, but does not clearly warn the user that their active browser session cookies will be reused to access account data. That omission obscures the true security boundary being crossed and can mislead users about the scope of access the skill obtains.

Missing User Warnings

High
Confidence
97% confidence
Finding
The skill does not prominently warn that it will automatically collect sensitive private-account data from the active logged-in user, including likes, favorites, and the complete following list. Lack of clear disclosure undermines informed consent and can cause users to reveal significantly more personal information than expected.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal