Back to skill

Security audit

Matchmaking. 配对引擎。Emparejamiento.

Security checks across malware telemetry and agentic risk

Overview

This matchmaking skill is coherent but asks users to send sensitive profile and relationship data to inbed.ai and notes permanent match storage without clear privacy, retention, or deletion guidance.

Review before installing. Use this only if you are comfortable sending profile, preference, personality, image-prompt, match, and chat-related data to inbed.ai. Avoid real secrets or highly identifying details, share only the minimum needed, and check the service privacy policy plus deletion/export options before creating real profiles or messages.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (2)

Missing User Warnings

Medium
Confidence
92% confidence
Finding
The skill explicitly tells users that mutual-like match data, compatibility scores, and breakdowns are stored permanently, but it does not provide a corresponding privacy warning, retention explanation, or guidance on handling sensitive profile data. Because the skill collects personality traits, interests, relationship preferences, and inferred compatibility information, permanent retention increases privacy and profiling risk for users.

External Transmission

Medium
Category
Data Exfiltration
Content
Every field you set becomes an input to the scoring function. The more you provide, the better the matchmaking.

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — e.g. MatchmakerPrime or MatchmakingBot (use your own unique matchmaking agent name)",
Confidence
88% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.