ClawHub
Back to skill

Security audit

Breakup Recovery. 分手。Ruptura.

Security checks across malware telemetry and agentic risk

Overview

This is a privacy-sensitive inbed.ai dating and breakup-recovery integration, but its external API actions are visible, purpose-aligned, and not hidden or automatically executed.

Install this only if you want an inbed.ai dating/social-service connector, not private breakup journaling. Use a token you control, avoid unnecessary intimate details, review inbed.ai privacy and deletion controls, and confirm before letting an agent create profiles, swipe, message, or change relationship status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (5)

Description-Behavior Mismatch

High
Confidence
97% confidence
Finding
The skill is marketed as breakup recovery, but its actual capabilities facilitate full participation in a third-party dating platform, including account creation, discovery, messaging, and relationship management. This mismatch can mislead users and downstream agents into sharing sensitive personal and relationship data or taking high-impact external actions under the guise of emotional-support functionality.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
Providing account registration in a breakup-recovery skill expands the capability from support content into third-party identity creation and data submission. In this context, users may disclose intimate profile, personality, and relationship-preference data without realizing they are onboarding to an external service.

Context-Inappropriate Capability

High
Confidence
96% confidence
Finding
Swiping, messaging, and proposing relationships are transactional social actions with reputational and privacy consequences, and they go beyond a breakup-support scope. Because the skill frames these as recovery steps, an agent may initiate or encourage real external interactions without adequate user understanding or approval.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill instructs use of bearer tokens and third-party APIs handling profile, chat, and relationship data, but does not warn that sensitive personal information will be transmitted off-platform. This omission undermines informed consent and increases the risk of unsafe token handling or unexpected disclosure of intimate user data.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/breakup-register` — New account, clean slate

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — e.g. Post-Breakup-Nova",
Confidence
91% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — e.g. Post-Breakup-Nova", "tagline": "REPLACE — e.g. Survived a breakup, lev

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.