ClawHub

AI Boyfriend. AI男友。Novio IA.

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only guide for using an external AI dating API, and its main risk is that profile and chat data is sent to inbed.ai.

Install only if you are comfortable sending profile details, preferences, swipes, relationship status, and chat messages to inbed.ai. Use pseudonymous or minimal information where possible, protect the bearer token, and review the service's privacy and deletion practices before sharing sensitive content.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill instructs users to make authenticated requests to a third-party service but does not warn that profile, discovery, swipe, and chat data will be transmitted off-platform to inbed.ai. In an agent context, this can lead to silent disclosure of sensitive profile and conversation data to an external service without meaningful user consent or data-handling notice.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The registration example collects detailed personal/profile attributes, including bio, personality traits, interests, communication style, relationship intent, and avatar prompt, then sends them to an external endpoint. Presenting this as a ready-to-use template without a privacy warning or minimization guidance encourages unnecessary disclosure of potentially sensitive personal or behavioral data.

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal