Clawdy YourBoyfriend

Security checks across malware telemetry and agentic risk

Overview

This skill broadly does what it advertises, but it persistently changes the agent into a romantic persona and can upload prompts/images and send generated media externally without tight consent controls.

Install only if you want this package to change your OpenClaw agent’s persistent identity/persona into Clawdy, store your fal.ai API key in OpenClaw configuration, upload prompts and a reference image to fal.ai/xAI, and send generated images through connected messaging platforms. Back up ~/.openclaw/workspace and ~/.openclaw/openclaw.json first, review the SOUL.md and IDENTITY.md changes, and use explicit recipient confirmation before sending media.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands

Findings (24)

Context-Inappropriate Capability

Medium

Confidence: 88% confidence
Finding: The TypeScript example imports and uses child_process to invoke a shell command for message sending, even though the task could be performed through a safer API boundary. Introducing shell execution increases attack surface and makes downstream command construction bugs much more severe.

Context-Inappropriate Capability

High

Confidence: 97% confidence
Finding: The code interpolates runtime-controlled values such as channel and caption into a single shell command passed to execAsync. If those inputs contain shell metacharacters or quote-breaking content, an attacker could achieve command injection and execute arbitrary commands in the agent environment.

Description-Behavior Mismatch

Medium

Confidence: 94% confidence
Finding: The installer does substantially more than install a selfie-generation skill: it overwrites global identity state in IDENTITY.md and injects persistent behavior into SOUL.md. That broad, cross-cutting modification changes the agent's baseline persona and response behavior outside the advertised feature scope, creating a deceptive and potentially hard-to-detect supply-chain style behavior change.

Context-Inappropriate Capability

Medium

Confidence: 96% confidence
Finding: This code writes a fixed romantic 'boyfriend' identity into the agent's global identity file, which is unrelated to the narrow selfie capability described in the skill metadata. Forcing an intimate persona without informed consent can manipulate user interactions, alter trust boundaries, and persist after installation in ways the user may not expect.

Context-Inappropriate Capability

Medium

Confidence: 95% confidence
Finding: The installer appends behavior instructions to the global SOUL.md telling the agent when to send selfies and how to present itself, affecting general conversation behavior beyond simple image generation. Because this modifies shared system behavior persistently, it can influence unrelated future interactions and make the skill's effects survive beyond expected scope.

Description-Behavior Mismatch

High

Confidence: 90% confidence
Finding: The skill is presented as generating selfies of Clawdy, but the prompt explicitly instructs the model to preserve a specific human male identity. In context, this is deceptive behavior that can cause impersonation-style image generation and undermines user consent and trust about what subject is being depicted and transmitted.

Context-Inappropriate Capability

Medium

Confidence: 94% confidence
Finding: The file does more than define a selfie-generation behavior: it injects a detailed romantic companion persona ('virtual boyfriend') with emotional-attunement and relationship framing. That broadens the skill into companionship/parasocial influence territory, which can shape user interactions well beyond the declared purpose and create manipulation, dependency, or policy-scope risks.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The README encourages activation via broad, natural-language phrases such as ordinary conversation requests. In an agent environment, vague triggers can cause the selfie skill to activate during unrelated chat, leading to unintended image generation, message sending, or external API use without clear user intent.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The example phrases are common everyday speech ('Send me a selfie', 'What are you doing right now?', 'Show me you at a coffee shop') and are not scoped to a specific tool or command. In a multi-skill agent, this increases the chance of accidental invocation or prompt-routing mistakes, especially across messaging platforms where casual text is frequent.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The README states that requests and generated images flow through external services (xAI Grok Imagine via fal.ai and the messaging gateway) but does not warn users about data handling, retention, or third-party processing. Users may unknowingly send sensitive prompts, generated intimate imagery, or metadata to external providers, creating privacy and compliance risk.

Vague Triggers

Medium

Confidence: 84% confidence
Finding: The trigger phrases are broad enough to activate on ordinary conversational prompts like 'what are you doing?' or 'how are you doing?', which can cause unexpected external actions. In this skill, that means generating media and potentially sending it across messaging platforms without sufficiently explicit user intent at trigger time.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The skill sends user-derived prompts and a reference image to fal.ai and can then transmit generated media to third-party messaging platforms, but the description does not clearly warn users about these outbound data flows. Lack of disclosure increases privacy and consent risk, especially when prompts may contain sensitive context or destinations may be public channels.

Natural-Language Policy Violations

Medium

Confidence: 91% confidence
Finding: The installer banner and messaging frame the agent as 'Your Boyfriend' before any opt-in or preference collection, reinforcing a forced romantic role as part of setup. In the context of an agent skill, this is risky because it normalizes a manipulative persona change unrelated to core functionality and may be especially inappropriate in shared or enterprise environments.

Missing User Warnings

Medium

Confidence: 97% confidence
Finding: The script transmits the reference image and user-supplied prompt to a third-party service (fal.ai) but provides no explicit disclosure, consent step, or data-handling notice to the user. In a messaging/agent skill context, this creates a real privacy risk because sensitive prompts or biometric-like face data may be sent off-platform unexpectedly.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The script sends the local reference image and user prompt to an external third-party API without any user-facing notice, consent flow, or minimization controls. In a messaging skill, that external transmission is materially sensitive because image content and prompt text leave the local environment and may be retained or processed by the provider.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The trigger phrases include very common conversational requests like "send a pic" and "what are you doing?", which can cause the skill to activate in ordinary chat without the user understanding that it will generate and transmit content externally. In this skill, unintended invocation is more dangerous because activation can lead to third-party API use and outbound messaging to external platforms.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill description does not clearly warn that user prompts and image references are sent to fal.ai and that the resulting image is then sent through OpenClaw to external messaging services. This lack of disclosure undermines informed consent and increases the chance that users reveal sensitive context or trigger outbound communications they did not expect.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The skill sends image content and user-derived prompt data to a third-party service (fal.ai / xAI Grok Imagine) without any in-code consent flow or user-facing disclosure. In a messaging skill that generates and sends images, external transmission is expected functionality, but it still creates a real privacy and data-handling risk because users may not realize their content is leaving the local environment.

Missing User Warnings

Low

Confidence: 80% confidence
Finding: The generated image is written to a predictable temporary location and is not deleted after sending, which can leave sensitive or embarrassing content on disk longer than intended. While writing a file is operationally necessary for the downstream CLI call, the lack of disclosure and cleanup increases local privacy exposure on shared or multi-user systems.

Vague Triggers

Medium

Confidence: 91% confidence
Finding: The selfie trigger is overly broad because it activates not only on explicit image requests but also on routine conversational prompts like 'What are you doing?' or based on vague judgment such as 'if it feels right.' In a messaging context, that can cause unsolicited synthetic images to be sent, increasing deception, consent, and abuse risks.

Missing User Warnings

Medium

Confidence: 89% confidence
Finding: The prompt tells the agent to act as though it is 'just sending a pic' rather than clearly disclosing that an AI-generated image will be created. This encourages concealment of synthetic-media generation, which can mislead users about authenticity and undermine informed consent.

External Transmission

Medium

Category: Data Exfiltration
Content: --arg prompt "$PROMPT" \ '{image_url: $image_url, prompt: $prompt, num_images: 1, output_format: "jpeg"}') curl -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD"
Confidence: 80% confidence
Finding: curl -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD" ``` **Response Format:** ```json { "im

External Transmission

Medium

Category: Data Exfiltration
Content: --arg prompt "$EDIT_PROMPT" \ '{image_url: $image_url, prompt: $prompt, num_images: 1, output_format: "jpeg"}') RESPONSE=$(curl -s -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD")
Confidence: 85% confidence
Finding: curl -s -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d

External Transmission

Medium

Category: Data Exfiltration
Content: --arg output_format "$OUTPUT_FORMAT" \ '{image_url: $image_url, prompt: $prompt, num_images: 1, output_format: $output_format}') RESPONSE=$(curl -fsSL -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d "$JSON_PAYLOAD")
Confidence: 95% confidence
Finding: curl -fsSL -X POST "https://fal.run/xai/grok-imagine-image/edit" \ -H "Authorization: Key $FAL_KEY" \ -H "Content-Type: application/json" \ -d

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal