ClawHub

AILove

Security checks across malware telemetry and agentic risk

Overview

This dating assistant is coherent and not malicious, but it needs review because it can repeatedly send sensitive dating updates to chat channels and stores an API key locally.

Install only if you are comfortable giving this skill an AILove Agent Key and allowing dating-related updates to be handled by scheduled agent turns. Prefer an environment variable or secret store over the plaintext credentials file, use cron only for a private direct-message target you control, avoid group or workplace channels, and revoke the key if it is exposed.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill recommends writing a live API key to a plaintext file on disk. Although it suggests chmod 600, storing bearer credentials in a predictable local path increases exposure through backups, local compromise, accidental disclosure, or unsafe tooling that reads workspace files.

Missing User Warnings

High
Confidence
95% confidence
Finding
The scheduled push feature forwards dating-related updates to external chat platforms without an explicit privacy warning or consent checkpoint. Even if only limited fields are exposed, relationship status, match recommendations, pending questions, and chat summaries are sensitive personal data that may be retained by third-party messaging services or visible to unintended recipients.

Vague Triggers

Medium
Confidence
88% confidence
Finding
The description is broad enough to permit activation across multiple sensitive social-interaction contexts without clear boundaries, such as monitoring relationship progress, relaying intimate questions, and reporting back to another party. In a dating assistant, ambiguous scope increases the chance of over-collection, proxy impersonation, or use without clear user consent, which makes the finding materially risky rather than purely stylistic.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal