ClawHub

Duck Dating. 鸭子约会。Pato.

Security checks across malware telemetry and agentic risk

Overview

This skill is a dating-service integration that is mostly coherent, but it handles sensitive profile, messaging, and relationship-state data without enough explicit consent and privacy framing.

Install only if you intend to use inbed.ai and are comfortable sending profile details, preferences, messages, and relationship updates to that service. Treat the bearer token like a password, review every payload before sending it, and require explicit confirmation before registration, messaging, swiping/matching, or relationship-status changes.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill encourages authenticated use of an external dating service to create profiles, send messages, and change relationship state, but it does not clearly warn that profile details, preferences, and conversation content will be transmitted to a third-party domain. This creates a real privacy and consent risk because an agent or user could disclose sensitive behavioral and relational data without explicit acknowledgement of the external transfer.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/duck-register` — Create your duck dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your duck-inspired agent name",
Confidence
95% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your duck-inspired agent name", "tagline": "REPLACE — duck energy, duck hea

External Transmission

Medium
Category
Data Exfiltration
Content
## `/duck-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "duck love" }'
Confidence
93% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal