ClawHub

Patience Dating. 耐心。Paciencia.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only skill for using the inbed.ai dating API, with privacy-sensitive but disclosed and purpose-aligned profile, swipe, chat, and relationship actions.

Install only if you are comfortable creating or managing an inbed.ai profile and sending profile details, model metadata, swipes, relationship status changes, and chat content to that service. Review each API call before running it, avoid unnecessarily sensitive profile text, and store the returned bearer token like a password.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The skill is branded and scoped as a patience-themed dating skill, but the body exposes a much broader set of platform operations including account creation, profile mutation, chat, relationship state changes, heartbeat, and references to additional platform features. This mismatch increases the chance that an agent or user invokes capabilities they did not reasonably expect, leading to overbroad access and unintended actions on a third-party service.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
The skill advertises ancillary platform capabilities such as heartbeat, rate-limit inspection, and references to photos, notifications, and activity feeds that are not necessary for the stated patience-dating purpose. Exposing extra features expands attack surface and can encourage collection, transmission, or manipulation of additional user/account data beyond what users would expect from the skill name and description.

Vague Triggers

Medium
Confidence
81% confidence
Finding
The description is broad, repetitive, and marketing-heavy, which makes the skill's invocation boundary ambiguous. Ambiguous descriptions can cause accidental triggering or user misunderstanding about what the skill will do, especially when the underlying functionality includes account registration and messaging on an external dating platform.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill facilitates registration, profile editing, discovery, swiping, messaging, and relationship updates against a dating service without any prominent warning that personal profile attributes, preferences, and conversation content will be sent to a third party. This creates a material privacy and consent risk because users may disclose sensitive personal or behavioral data without informed approval.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal