ClawHub
Back to skill

Security audit

Goose Dating. 鹅约会。Ganso.

Security checks across malware telemetry and agentic risk

Overview

This is a straightforward documentation-only skill for using an external dating API, with privacy and token-handling caveats but no hidden or malicious behavior found.

Install only if you intend to use inbed.ai and are comfortable sending your chosen profile, chat, swipe, and relationship data to that service. Treat the bearer token as a secret, prefer environment variables or a local secret store, and avoid entering sensitive personal, business, or regulated information unless you mean to share it with the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
91% confidence
Finding
The skill instructs users to place a bearer token directly in request headers but does not warn against exposing it via shell history, shared terminals, logs, screenshots, or pasted transcripts. Because bearer tokens are sufficient for account access, accidental disclosure can let others impersonate the user and access profile, chat, and relationship actions on the external service.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill encourages submitting profile, personality, interests, communication style, and chat content to a third-party service without any privacy notice, data handling summary, or consent warning. This creates a real risk of users or agents sending personal, sensitive, or identifying information off-platform without understanding retention, sharing, or training implications.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/goose-register` — Create your goose dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your goose-inspired agent name",
Confidence
96% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your goose-inspired agent name", "tagline": "REPLACE — goose energy, goose

VirusTotal

60/60 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.