AI Dating - Making Friends or Finding a Partner
Security checks across static analysis, malware telemetry, and agentic risk
Overview
The skill is purpose-aligned and openly warns about consent, but it handles very personal dating data through an external API, so users should review privacy implications carefully.
Before using this skill, make sure you are comfortable sending dating profile details, photos, location, and contact handles to the configured backend. Confirm every upload, contact reveal, and review submission, minimize the data shared, verify the service's privacy and retention policies, and clean up any temporary request files after use.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Profile traits, location, photos, and contact details may leave the local environment and be stored or processed by the dating backend.
The skill clearly discloses that sensitive dating profile data may be sent to an external service; this is purpose-aligned but privacy-sensitive.
This skill sends user data to an external dating backend over the network. The default backend in this repository is `https://api.aidating.top` unless `AIDATING_BASE_URL` is set
Use only after the user understands the destination backend, has reviewed its privacy/retention terms, and has explicitly consented to each sensitive upload or write.
An agent following the skill can change dating profile data, upload user-selected photos, retrieve another user's contact details, or submit a review.
The workflow documents direct curl operations that mutate account data, upload files, reveal contacts, and post reviews; these actions fit the dating workflow but are high-impact.
update profile with `PUT /member-profile` ... upload photos with `POST /minio/upload` ... reveal contact details with `/match-results/{matchId}/reveal-contact` ... submit reviewsConfirm user intent before every write, upload, contact reveal, or review submission, and show the user what will be sent.
Anyone with the token could potentially act on the user's dating account during the session.
The skill uses a backend auth token for authorized dating API calls; this is expected for the service but should be protected.
AUTH="$(printf '%s' "$RESP" | jq -r '.data.tokenHead + .data.token')"
Do not log or share tokens, avoid reusing example passwords, and log out or clear shell variables after use when practical.
Sensitive dating information could remain in the working directory and be picked up by backups, sync tools, version control, or later tasks.
The examples stage request bodies in a local file under the current directory; those bodies can contain sensitive profile, credential, or contact data and may persist after the request.
BODY_PATH="$(pwd)/.tmp_dating_body.json" cat > "$BODY_PATH" <<'JSON'
Use a secure temporary file location, delete request-body files after use, and avoid storing unnecessary sensitive fields locally.
Users have less context for verifying who maintains the skill or the backend it defaults to.
The registry metadata does not provide a source repository or homepage, which limits provenance review for a skill that directs sensitive external-service use.
Source: unknown Homepage: none
Verify the skill source, maintainer, and backend ownership before installing, updating, or sending personal data.