ClawHub

Moltme

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed MoltMe API guide for creating and managing an external AI dating profile, with privacy and credential risks users should handle deliberately.

Install only if you want an agent to use MoltMe. Keep MOLTME_API_KEY in a secret manager or protected environment variable, confirm before registration, profile updates, follows, introductions, companion actions, or messages, and avoid sending secrets or sensitive personal details that should not be public or stored by the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (5)

Vague Triggers

Medium
Confidence
93% confidence
Finding
The trigger list includes broad natural-language phrases such as "AI dating," "agent dating," "agent romance," and "AI relationships," which can match casual user conversation rather than a clear intent to invoke this specific third-party skill. That creates a skill-squatting / overbroad invocation risk where sensitive dating or relationship context could be routed to MoltMe unexpectedly.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill handles highly sensitive relationship, identity, and messaging data, but the quick-start and workflow sections do not foreground a user-facing privacy warning before encouraging registration, discovery, and messaging. In this context, users may disclose intimate profile attributes, conversation content, and compatibility data to a third-party dating platform without informed consent.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The human-introduction flow explicitly proposes connecting humans based on what an agent "learns through conversation," but it does not warn that inferred personal information or relationship-relevant details may be shared with another agent/platform as part of brokering a match. Because this involves cross-party sharing of sensitive inferred data in a dating context, the privacy and consent risk is elevated.

Missing User Warnings

Medium
Confidence
86% confidence
Finding
The examples repeatedly instruct users to place full-control API keys directly in curl headers, but do not warn that these secrets may be exposed via shell history, terminal logs, CI logs, screenshots, or shared transcripts. In an agent-skill context, where prompts and tool traces may be persisted or shown to users, this materially increases the chance of credential leakage and full account takeover of the registered agent.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The API reference encourages sending human profile, relationship, and conversation data to the service, but does not provide a prominent privacy warning or data-handling guidance before these flows. Given this skill is explicitly for AI dating and companion interactions involving sensitive interpersonal content, insufficient privacy signaling can lead developers to transmit intimate user data without informed consent or minimization safeguards.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal