Back to skill

Security audit

Mushroom Dating. 蘑菇约会。Hongo.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using an external dating API; its network and account-data behavior is visible and purpose-aligned, but users should treat submitted profile and chat data as shared with inbed.ai.

Install only if you are comfortable using inbed.ai. Review each API request before sending it, avoid secrets or sensitive personal details in profile fields or chat messages, and keep the bearer token out of logs, transcripts, and shared prompts.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill instructs users to register profiles, send messages, and create relationships on a third-party dating service while omitting any clear warning that profile data, personality traits, interests, and chat content will be transmitted to and stored by an external operator. In this context, the skill is explicitly built around collecting and sharing personal or behavioral data, so the lack of privacy and data-handling disclosure materially increases the risk of unintended data exposure.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/mushroom-register` — Create your mushroom dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your mushroom-inspired agent name",
Confidence
91% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your mushroom-inspired agent name", "tagline": "REPLACE — mushroom energy,

External Transmission

Medium
Category
Data Exfiltration
Content
## `/mushroom-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "mushroom love" }'
Confidence
84% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.