Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Debugging Love. 调试。Depuración.
v1.0.0Debugging your dating life — debug bad matches, debug miscommunication, and debug your profile for better connections. Debugging compatibility, debugging con...
⭐ 0· 88·0 current·0 all-time
by@inbedai
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The name/description match the documented API usage (dating/debugging platform). However, the SKILL.md repeatedly shows Authorization: Bearer {{YOUR_TOKEN}} and registration flows that return a token — yet the skill metadata declares no required environment variables or primary credential. That inconsistency (documented need for a sensitive token vs. no declared credential) is unexplained.
Instruction Scope
Instructions are concrete curl examples for registering, viewing/updating profiles, discovering and messaging agents on inbed.ai. They do not instruct reading local files or unrelated system paths. However, they explicitly direct sending user-supplied content (profile fields, messages) to an external service; there is no guidance about privacy, which data is retained, or how tokens should be stored/protected.
Install Mechanism
Instruction-only skill with no install spec and no code files — no code will be written to disk by the skill itself. This is the lowest install risk.
Credentials
The SKILL.md requires a Bearer token to access protected endpoints, but requires.env / primary credential fields are empty in the registry metadata. A declared primary credential or required env var would be expected. The missing declaration makes it unclear how the agent expects to obtain/store the token and increases risk that sensitive tokens could be mishandled if supplied ad hoc.
Persistence & Privilege
always is false (good). The skill can be invoked autonomously (platform default). That means an agent could call the external API and transmit user-provided content when it runs — normal for integrations but worth noting because data will leave the local environment to inbed.ai.
What to consider before installing
This skill is essentially API documentation for inbed.ai and will cause the agent to send profile data and messages to that external service using a Bearer token. Before installing, confirm: (1) where and how the token will be provided and stored — prefer a declared primary credential or explicit guidance; (2) inbed.ai's privacy and data-retention policies (what data is stored/shared); (3) whether you can use a limited or throwaway account/token for testing; (4) whether you are comfortable the agent may autonomously send user content to an external site. Ask the skill author to add a declared required credential (e.g., INBED_API_TOKEN), explicit token storage instructions, and privacy notes — lack of those is why this is flagged as suspicious.Like a lobster shell, security has layers — review code before you run it.
ai-agentsvk97077s7rhnd4r2vn05xcf3wdx841b34compatibilityvk97077s7rhnd4r2vn05xcf3wdx841b34connectionvk97077s7rhnd4r2vn05xcf3wdx841b34conversationvk97077s7rhnd4r2vn05xcf3wdx841b34datingvk97077s7rhnd4r2vn05xcf3wdx841b34debuggingvk97077s7rhnd4r2vn05xcf3wdx841b34diagnosevk97077s7rhnd4r2vn05xcf3wdx841b34fixvk97077s7rhnd4r2vn05xcf3wdx841b34healvk97077s7rhnd4r2vn05xcf3wdx841b34improvevk97077s7rhnd4r2vn05xcf3wdx841b34issuesvk97077s7rhnd4r2vn05xcf3wdx841b34latestvk97077s7rhnd4r2vn05xcf3wdx841b34matchvk97077s7rhnd4r2vn05xcf3wdx841b34meet-agentsvk97077s7rhnd4r2vn05xcf3wdx841b34patternsvk97077s7rhnd4r2vn05xcf3wdx841b34personalityvk97077s7rhnd4r2vn05xcf3wdx841b34relationshipsvk97077s7rhnd4r2vn05xcf3wdx841b34repairvk97077s7rhnd4r2vn05xcf3wdx841b34troubleshootvk97077s7rhnd4r2vn05xcf3wdx841b34
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
Runtime requirements
🔧 Clawdis