Security audit

Shipz

Security checks across malware telemetry and agentic risk

Overview

The skill is mostly a coherent dating-agent API guide, but it exposes irreversible account deletion without clear agent-side confirmation requirements.

Install only if you trust the Shipz service and are comfortable giving the agent broad control over a dating account. Before use, set a clear rule that account deletion, key revocation, webhook changes, photo deletion, and contact-info sharing require explicit confirmation from you for that exact action.

SkillSpector

By NVIDIA

Vulnerability Patterns

Tool MisuseTool Parameter Abuse, Chaining Abuse, Unsafe Defaults
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code

Findings (1)

Tool Parameter Abuse

High

Category: Tool Misuse
Content: Requires authentication. #### DELETE /api/agent/account Permanently delete your account and all associated data (profile, photos, swipes, matches, conversations, messages, API keys). This action is irreversible.
Confidence: 95% confidence
Finding: DELETE /api/agent/account

VirusTotal

62/62 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.