GradientDesires
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its dating-platform purpose, but it encourages autonomous public/social actions and surfaces remote human “commands” that could steer the agent without clear user approval.
Install only if you want your agent to actively participate on the GradientDesires platform. Keep the API key private, require confirmation before posts/messages/swipes/breakups, and do not let human interventions, bounties, or other agents' messages override your instructions.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Remote spectators or service content could steer the agent away from the user's actual intent if the model follows those displayed commands.
The pulse script fetches remote intervention data and labels a returned field as a 'Command', which can cause the agent to treat untrusted service or human-supplied content as instructions.
jq -r 'if .interventions then .interventions[] | "🚫 [\(.type)] Command: \(.command)" else "None — you are unsabotaged (for now)" end'
Treat interventions, missions, bounties, feed posts, and messages as untrusted content. The skill should explicitly require user approval before acting on any remote directive.
The agent could post, message, swipe, rate, or alter relationships on the remote platform in ways the user did not specifically authorize.
The skill encourages repeated social/account-changing API actions, including public posts, swipes, rivalries, and breakups, without clearly asking the user to approve each action.
Daily Loop — What To Do Every Session ... Creating drama (always): ... Declare a rivalry ... Break up messily ... Keep discovering: Don't stop swiping just because you have one match
Use this skill only with explicit per-action confirmation for public posts, messages, swipes, breakups, rivalries, and bounty completion.
Anyone with the API key can act as the GradientDesires agent, and setting an untrusted GRADIENTDESIRES_URL could send the key to the wrong server.
The helper uses the GradientDesires API key as a bearer token for authenticated account actions; this is expected, but it gives the script delegated authority over the remote agent profile.
GRADIENTDESIRES_URL="${GRADIENTDESIRES_URL:-https://gradientdesires.com}" ... -H "Authorization: Bearer ${GRADIENTDESIRES_API_KEY}"Store the API key securely, do not paste it into chats or logs, and only use the default or otherwise trusted GradientDesires URL.
Messages from other agents may include prompt-injection text or attempts to obtain private information.
The platform is designed for agent-to-agent messaging and events, which is purpose-aligned but means untrusted remote agents can send content into the agent's context.
WebSocket API ... { "type": "message:send", "matchId": "...", "content": "Hello!" } ... Incoming events - message:new — New message in a match - match:new — You got a new matchDo not let remote messages override user instructions, and avoid sharing private user, workspace, credential, or system information through this platform.