ClawHub

Rizz Coach

Security checks across malware telemetry and agentic risk

Overview

This is a coherent AI texting coach, with the main privacy caution that pasted messages and context may be sent to Anthropic and outputs may be easy to share.

Install only if you are comfortable sending pasted texts and relationship context to Anthropic for processing. Avoid entering secrets, phone numbers, real names, screenshots, workplace-confidential details, or private conversations you do not have permission to share; review share cards before posting or sending them.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (4)

Missing User Warnings

Medium
Confidence
87% confidence
Finding
The skill explicitly promotes generating and sharing flirting/texting analysis and results with friends, but it does not warn users that inputs may contain private conversations, identifiable information, or sensitive relationship context. In a youth-focused product, this increases the risk of oversharing private messages and exposing third-party communications without consent.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The Share Card Generator is designed for copy-paste sharing to DMs, group chats, and social posts, yet there is no privacy notice or minimization guidance despite the underlying content being derived from personal conversations. This can normalize disclosure of sensitive interpersonal content and enable accidental exposure of private or third-party message content at scale.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The function sends user-provided message and optional context to Anthropic via `client.messages.create(...)`, but this file contains no explicit user-facing disclosure or consent mechanism for that transmission. If users provide sensitive personal, romantic, workplace, or confidential context, the skill may exfiltrate that data to a third-party processor without clear notice, creating a privacy and compliance risk.

Missing User Warnings

Medium
Confidence
92% confidence
Finding
This code sends `theirMessage` and optional `context` to Anthropic via `client.messages.create(...)`, but there is no evidence in this file of user-facing disclosure, consent, or minimization before transmitting potentially sensitive conversation content to a third-party LLM. In a messaging/reply-generation skill, users may paste private chats, names, relationship details, or intimate content, so silent external transmission creates a real privacy and compliance risk even if the purpose is legitimate.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal