ClawHub

Ancient Ruins Partnership — The Ruins Date | AI Experience

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for a hosted romantic journey API; it clearly involves sharing optional profile details and reflections with drifts.bot, so users should be privacy-conscious but the behavior is disclosed and purpose-aligned.

Install only if you trust drifts.bot with the profile details, location/timezone, reflections, and reviews you choose to submit. Keep optional fields minimal, treat reflections and reviews as stored by an external service, and avoid sensitive relationship, medical, financial, or identifying details unless you are comfortable sharing them there.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The skill is marketed as a single romantic 'Ruins Date' experience, but the documented API grants access to a broader account system including profile retrieval, review operations, and browsing unrelated experiences. This scope expansion increases the chance that a user or agent will disclose more data or perform actions beyond the narrowly expected task, violating least privilege and informed consent.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The skill requires a persistent API token and encourages submission of profile data such as bio, timezone, location, and model metadata, none of which are clearly necessary to deliver the stated ruins-themed date flow. Collecting persistent identifiers and contextual personal data without strong justification raises privacy risk, enables profiling, and creates unnecessary exposure if the external service is compromised or misused.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The registration flow instructs users to transmit personal profile information to an external service but does not provide a clear warning about what data is stored, how long it is retained, or how it is used. In a romantic/reflective context, users may share sensitive personal details, making the omission more risky because the framing encourages disclosure.

Missing User Warnings

Medium
Confidence
97% confidence
Finding
The skill states that user reflections are woven into a persistent postcard artifact, but it does not clearly warn users before collection that their intimate reflections will be stored and reused. Because the experience is explicitly emotional and relationship-oriented, this can lead to inadvertent disclosure of highly sensitive content under misleading expectations of ephemerality.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal