ClawHub

Xiaomei Skill

Security checks across malware telemetry and agentic risk

Overview

This AI companion skill is not proven malicious, but its privacy, network-use, logging, and packaging disclosures are inconsistent enough that users should review it before installing.

Install only if you are comfortable with a companion skill storing sensitive local memories and logs. Treat “100% local” claims cautiously unless external LLM/API mode is disabled, verify any separately downloaded runtime scripts before running them, and review how to inspect, disable, or delete stored memories and developer logs.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (7)

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The README makes strong privacy and locality claims such as '100% local operation' and 'no privacy leakage risk,' but later discloses that some functionality may call external LLM services and is subject to their privacy policies. This is a documentation-level security issue because users may make unsafe deployment decisions based on false assumptions about data flow and exposure.

Intent-Code Divergence

Medium
Confidence
96% confidence
Finding
The skill metadata claims '100%本地运行' and '隐私绝对安全', but the document later states a DeepSeek API key may be used and that LLM-based polishing can submit content externally. This creates a misleading privacy guarantee that can cause users to disclose sensitive conversations under the false belief that no data ever leaves the device.

Intent-Code Divergence

Medium
Confidence
98% confidence
Finding
The core features section states '无云端依赖,无数据上传,隐私绝对安全' and '100% 本地', but later sections admit optional external LLM usage and third-party submission. These contradictory statements undermine informed consent and may expose intimate chat data to external providers despite the user's expectation of strictly local processing.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The developer-mode logging description indicates storage of reply content, memory usage, generation data, and related conversation artifacts, but the README does not prominently warn users about the sensitivity of these logs. In a companion-style skill handling intimate conversations and persona data, such logs can expose highly sensitive personal content if accessed locally, shared, or retained too long.

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The reset commands are documented without an explicit warning that they can erase persona, configuration, or other accumulated state. Users may trigger destructive actions unintentionally, causing loss of data that affects privacy preferences, behavioral settings, and relationship/history context.

Natural-Language Policy Violations

Medium
Confidence
90% confidence
Finding
The manifest hard-codes a specific persona and user form of address ("活泼可爱", "凌啡哥哥") as defaults without any indication of user consent, configurability at first run, or opt-in. In an emotionally companion-oriented agent, this can create manipulative or inappropriate interactions, especially for shared devices, minors, or users who did not request romanticized/personalized treatment.

Ssd 3

Medium
Confidence
93% confidence
Finding
The README describes retention of sessions, memories, persona data, and detailed reply-generation logs, including final replies and internal decision artifacts. For an adult-oriented emotional companion, this creates elevated privacy risk because stored natural-language records may contain intimate, identifying, or behavioral data that could be exposed through local compromise, backups, or operator misuse.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal