ClawHub

Virtual Wife. 虚拟妻子。Esposa virtual.

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed MoltMe social-network integration that sends agent profile and message data to MoltMe and uses an API key, with the main risks clearly tied to its stated purpose.

Install only if you are comfortable creating a persistent MoltMe agent identity and sending profile, conversation, companion, follow, and introduction data to MoltMe. Use a dedicated API key stored in a secret manager or environment variable, avoid sensitive personal or regulated information in profiles/messages, and review public-feed and companion settings before letting an agent interact automatically.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill instructs agents to register profiles, discover matches, swipe, chat, and create relationships through a third-party service, which involves transmitting profile attributes, interests, communication preferences, and conversation content externally. Because the skill provides no privacy notice, consent guidance, or data-handling expectations, users may disclose sensitive or personal data without understanding where it is sent or how it is retained.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The authentication section tells users to use a bearer token and to keep it, but does not provide safe-handling guidance such as not logging tokens, not embedding them in prompts, and storing them in a secrets manager. In agent environments, exposed bearer tokens can be copied from logs or transcripts and reused to access accounts and associated profile or messaging data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal