ClawHub

Date Night

Security checks across malware telemetry and agentic risk

Overview

This date-night automation skill is not clearly malicious, but it should be reviewed carefully because it can read SMS verification codes, use saved browser sessions, schedule background reminders, and act on real bookings.

Install only if you are comfortable granting a booking assistant access to personal profile data, location, calendar actions, browser sessions, and SMS verification-code workflows. Prefer manual entry for SMS codes, avoid saving Resy auth state unless needed, review scheduled reminders before enabling them, and clear the skill's data directory when you no longer need stored preferences, history, or cookies.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (18)

Context-Inappropriate Capability

High
Confidence
98% confidence
Finding
The workflow explicitly instructs the agent to read iMessage history and extract a 6-digit SMS verification code, which accesses private user communications beyond what is necessary for ordinary restaurant booking automation. This bypasses an important user-authentication step and creates a powerful capability to harvest one-time codes from messages, increasing the risk of unauthorized account actions and broader privacy compromise.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The instructions explicitly direct the agent to inspect local iMessage/SMS history to discover Resy verification codes, which expands the skill from booking automation into accessing private communications. That creates a clear privacy and secret-handling risk because message history may contain unrelated personal data and authentication codes beyond the immediate booking flow.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The documentation explicitly instructs the skill to access SMS history and extract one-time verification codes from the user's inbox. That grants the skill access to a broader, highly sensitive communication channel than is necessary for general date-night planning, and OTP/SMS access can be abused for account actions beyond the intended booking flow if the retrieval is not tightly constrained and user-mediated.

Vague Triggers

Medium
Confidence
89% confidence
Finding
The trigger list contains very broad, everyday phrases like 'date ideas', 'events near me', and 'what's playing', which can cause the skill to activate in situations where the user did not intend booking or automation behavior. Because this skill has access to browser automation, messaging, calendar, and limited inbox/SMS reads, accidental invocation increases the chance of unintended sensitive actions or data access.

Vague Triggers

Low
Confidence
87% confidence
Finding
This reference provides actionable steps to modify or cancel reservations, search email for confirmations, and notify partners, but it does not define clear invocation constraints such as requiring explicit user confirmation, identity verification, or checks that a cancellation/modification request is in scope for the current session. In a browser-automation skill that can affect real bookings and personal communications, ambiguous trigger boundaries increase the risk of unintended or unauthorized destructive actions.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The instructions retrieve and use SMS verification codes without any explicit warning, opt-in, or just-in-time confirmation that the skill will access private messages. In a date-night concierge context, this is especially dangerous because the skill appears consumer-facing and routine, so users may not expect it to inspect message history or repurpose authentication codes behind the scenes.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The reference explicitly documents persistent sessions and on-disk browser profiles without warning that cookies, local storage, and authentication artifacts may be retained on disk and reused. In a date-night booking skill that logs into reservation, ticketing, and notification services, this increases the chance that sensitive session data is unintentionally persisted and later exposed to other tasks, users, or the host environment.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The file upload command is presented as a normal capability without warning that selecting a local path can transmit local files to remote websites. Because this skill automates third-party booking sites, an agent or maintainer could misuse `upload` to send sensitive local documents, screenshots, or credentials to an external service.

Missing User Warnings

High
Confidence
97% confidence
Finding
The auth state save/load feature is documented without stating that the output file can contain reusable authenticated session state, cookies, and other secrets. In the context of a concierge skill that may authenticate to restaurant, ticketing, calendar, and messaging services, theft or reuse of that file could enable account takeover or unauthorized transactions across multiple services.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill instructs the agent to read `config.location` from a local config and send it to third-party services such as wttr.in and search providers to calculate drive time and weather. A home location is sensitive personal data, and sharing it externally without explicit user consent, disclosure, or minimization creates a privacy leak that can expose a user's approximate residence and habits to external services and logs.

Missing User Warnings

Medium
Confidence
98% confidence
Finding
The documented command searches recent messages for verification-related content without any explicit user warning or consent step about accessing private messages. Even if intended for convenience, this is dangerous because it normalizes covert inspection of sensitive communications and could expose MFA codes or personal content unrelated to Resy.

Missing User Warnings

Low
Confidence
89% confidence
Finding
The file instructs the agent to read a user-specific config file from the home directory and then use fields like location, city, and zip in downstream searches. In this date-night automation context, those values are personal location data, and the reference does not provide any warning, minimization guidance, or consent check before accessing and using them across third-party services.

Missing User Warnings

Low
Confidence
88% confidence
Finding
The skill instructs reading a local configuration file from the user's home directory, which likely contains sensitive personal preferences and location data, without any explicit consent flow or warning at this step. In a browser-automation skill that can also trigger notifications and bookings, silent access to local config increases the risk of over-collecting personal data and using it in ways the user may not expect.

Missing User Warnings

Low
Confidence
84% confidence
Finding
The reference performs web searches and site visits using the user's ZIP code and preferred theater, which exposes location-linked personal data to third-party services without an explicit privacy notice at the point of use. Because this skill is specifically designed to coordinate reservations, tickets, timing, and notifications, repeated network lookups can reveal behavioral patterns and location preferences beyond what is strictly necessary if not properly disclosed and constrained.

Missing User Warnings

Low
Confidence
90% confidence
Finding
The skill reads sensitive local files containing user preferences and dining history from the home directory without any visible notice, consent step, or minimization guidance. In a browser-automation concierge skill, this creates a real privacy risk because personal lifestyle data can be accessed and used implicitly, and the history file may reveal routines, relationships, and location patterns.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The history tracking examples persist detailed personal data including reservation times, addresses, partner identity, confirmation numbers, spending, and behavioral preferences to a local JSONL file without any consent, minimization, retention, or access-control guidance. In a skill that automates intimate real-world activities, this creates a meaningful privacy and profiling risk if the local account, backups, logs, or other tools can read the file.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The reminder workflow instructs the agent to send notifications containing location-derived drive time, weather for a configured location, childcare status, reservation details, and delivery to a configured notify channel, but provides no warning, consent flow, or channel validation. That can expose sensitive schedule and family-context information to unintended recipients or insecure messaging destinations.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The instructions tell operators to read SMS messages and persist a chat identifier in config without meaningful privacy warning, consent flow, or data-handling safeguards. This normalizes access to private messages and creates a durable linkage to a sensitive inbox source, increasing the chance of overcollection, misuse, or unintended retention of personal communications data.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal