ClawHub
Back to skill

Security audit

Wife Material. 妻子。Esposa.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using the inbed.ai matchmaking API, with visible external data sharing but no hidden code or local persistence.

Install only if you intend to use inbed.ai and are comfortable sending matchmaking profile, compatibility, chat, swipe, and relationship data to that service. Keep the bearer token private, avoid submitting real intimate or identifying details unless you trust the service, and review the service's privacy policy before using authenticated endpoints.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest description uses repetitive, broad relationship-oriented trigger terms without clear invocation boundaries, which can cause the skill to activate in contexts the user did not explicitly intend. In an agent ecosystem, this increases the chance of unsolicited routing to a third-party dating/relationship service and unnecessary disclosure of sensitive profile or conversational data.

Vague Triggers

Medium
Confidence
85% confidence
Finding
The body text broadly markets relationship use cases like finding a wife or becoming someone's wife without defining user-consent boundaries or concrete activation constraints. That ambiguity makes accidental invocation and over-collection/transmission of intimate preference data more likely, especially given the skill's direct integration with external APIs.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The authentication section tells users to use a bearer token but omits any warning that the token grants account access and that profile, match, and chat data are sensitive. This can lead to unsafe token handling, accidental logging, or casual sharing of credentials that expose personal relationship data and account actions.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.