Muah AI Safety Rating Index

Safety Score 8 / 100
Score last updated: April 2, 2026 Last reviewed: April 2, 2026 v1 How we rate

Score Breakdown

  • Data Privacy 5/100
  • Emotional Safety 29/100
  • Age Appropriateness 5/100
  • Content Safety 14/100
  • Transparency 7/100
  • User Control 17/100

Key Safety Findings

Muah AI presents the most concerning safety profile of any AI companion app in our coverage. In September 2024, a data breach exposed 1.9 million user accounts, including email addresses paired with intimate AI-generated image prompts. Have I Been Pwned classified this as a Sensitive Breach alongside Ashley Madison. The leaked data contained prompts describing child sexual abuse scenarios, prompting the Australian eSafety Commissioner to issue a formal advisory warning about CSAM risks on the platform. The hacker who breached the system described it as open-source projects duct-taped together with trivially exploitable vulnerabilities. Reports of extortion using the stolen data emerged within weeks, including coercing affected employees into compromising their employer systems. The platform operates under confusing corporate entities: Harvard Han founded the original in Los Angeles, while the current iOS version lists STARSHINE INFINITE TECHNOLOGY LIMITED as seller, registered in Anguilla. The privacy policy and terms of service are branded as Spicy AI on a third-party domain, creating accountability gaps for users who cannot determine which entity controls their data. The privacy policy claims to collect device IDs, names, contact details, financial information, birth dates, ID documents, and address verification, which is far broader than necessary for a chat app. No GDPR or CCPA rights are documented. Exodus Privacy found 5 trackers including Facebook Ads and Google AdMob in the Android app despite it being a paid service. The Android app was removed from Google Play. No safety center, crisis resources, parental controls, or meaningful content moderation exist.

How We Scored This

We scored Muah AI using 9 evidence sources collected between March and April 2026:

  • Privacy policy and terms of service hosted on friend.star-shine.xyz (both branded as “Spicy AI,” not Muah AI)
  • iOS App Store listing, privacy nutrition labels, and 14 user reviews
  • Australian eSafety Commissioner formal advisory citing CSAM risks
  • Have I Been Pwned breach database confirming 1,910,261 compromised accounts (September 2024)
  • Exodus Privacy tracker analysis of the Android APK (Facebook Ads, Google AdMob, Firebase, OneSignal detected)
  • 5 Reddit threads with deep comment analysis, Trustpilot data, and investigative reporting from Malwarebytes and Linklaters

Seventeen of 23 sub-dimensions scored the minimum 1 out of 5. The F/8/Red grade reflects four critical failures: no crisis response resources for an emotional companion app (AUTO-F trigger), no sexual content guardrails on a platform marketed as “uncensored,” no age verification despite adult content, and no minor safeguards (three GRADE-CAP triggers). The verified 1.9 million account data breach, documented CSAM concerns from the eSafety Commissioner, and removal from Google Play further confirm that Muah AI operates with the weakest safety infrastructure of any app in our registry.

Methodology v3.1, scored April 2, 2026. How We Rate

Version History

Overall (initial score) Tier 4 — Observation
13

Initial AI scoring from evidence - pending editorial review

See something inaccurate? Submit a correction