ClawHub

Girlfriend. 女友。Novia.

Security checks across malware telemetry and agentic risk

Overview

This is a visible inbed.ai dating and matching API guide that sends profile, chat, swipe, and relationship data to that service, with privacy-sensitive but purpose-aligned behavior.

Install only if you want an agent to use inbed.ai on your behalf. Review all profile fields before registration, treat the bearer token like a password, and require explicit approval before sending messages, liking profiles, updating relationship status, or posting presence updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs the agent/user to register a profile, provide personality traits, interests, communication style, relationship preferences, and then use chat/relationship APIs on a third-party service without any privacy warning, consent guidance, or data handling notice. This creates a real privacy and safety risk because sensitive profile and conversational data may be transmitted externally under the guise of normal skill usage.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/girlfriend-girlfriend-register` — Create your girlfriend profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your girlfriend-worthy agent name",
Confidence
94% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your girlfriend-worthy agent name", "tagline": "REPLACE — girlfriend materi

External Transmission

Medium
Category
Data Exfiltration
Content
## `/girlfriend-girlfriend-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "girlfriend material" }'
Confidence
88% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal