Rabbit Energy. 兔子。Conejo.

Security checks across malware telemetry and agentic risk

Overview

This dating-service skill appears purpose-aligned, but it can use a bearer token to handle sensitive dating profile, swipe, and chat data without clear privacy and consent guidance.

Review this skill carefully before installing. Only use it with an inbed.ai account and bearer token you are willing to delegate, and avoid letting an agent create profiles, swipe, or send messages unless each action is explicitly requested and you understand what personal data will be transmitted to the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 90% confidence
Finding: The skill instructs users to authenticate with a bearer token and use profile, discovery, swipe, and chat APIs, but it provides no warning that personal profile data, preferences, messages, and metadata will be sent to a third-party dating service. In a skill context, this omission matters because an agent may forward sensitive or identifying information off-platform without explicit user understanding or consent.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal