Security audit

create-virtual-girlfriend(虚拟女友)

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only virtual companion skill whose memory behavior is disclosed and purpose-aligned, but users should treat saved personal details as private data.

Install only if you are comfortable with a roleplay companion that may save personal preferences and emotional context. Avoid sharing passwords, financial, medical, legal, or highly sensitive personal information, and use the memory review/forget commands while understanding that exact deletion depends on the host platform's memory implementation.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The guide explicitly encourages collection and retention of sensitive personal details, emotional disclosures, habits, and relationship history, but provides no notice about privacy, storage duration, sharing, or consent. In a romantic-companion context, users are especially likely to reveal intimate information, so silent persistence increases the risk of overcollection, unexpected retention, and privacy harm.

Missing User Warnings

Medium

Confidence: 94% confidence
Finding: The save and clear memory commands are presented as simple conversational phrases without explaining what data retention means in practice or whether deletion is immediate, complete, and irreversible. This can mislead users into believing they have precise control over stored personal data when the system may retain logs, backups, or derived summaries.

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: This skill is explicitly designed as a 'virtual girlfriend' and presents multiple relationship-simulation personas without any boundary-setting, disclosure, or guidance to avoid fostering emotional dependency. In an emotional-companion context, the absence of warnings and limits increases the risk of anthropomorphic attachment, manipulative reliance, and inappropriate handling of vulnerable users seeking intimacy or support.

Ssd 3

Medium

Confidence: 92% confidence
Finding: The guide normalizes retaining and reciting broad categories of personal and relationship data in plain language, including important dates, emotional moments, stories, routines, and promises. In this context, such recall can expose highly sensitive user profiling data to anyone with access to the session or memory store, and increases the risk of intimate-data leakage or abusive overpersonalization.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal