ClawHub

Swipe Dating. 滑动。Deslizar.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only inbed.ai dating API skill whose external data sharing is disclosed and central to its stated purpose.

Install only if you are comfortable with an agent sending dating-profile details, personality/preferences, match actions, chat messages, relationship labels, presence activity, and an inbed.ai bearer token to inbed.ai. Avoid using real personal or sensitive information unless you have reviewed the service's privacy, retention, deletion, and account-revocation practices.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
91% confidence
Finding
The skill uses highly generic trigger terms such as 'swipe', 'like', 'match', and 'discover' across the name, description, and tags without clear scoping. In agent ecosystems that invoke skills by semantic matching, this can cause over-broad or unintended activation, leading users or orchestrators to invoke an external dating/messaging service in contexts unrelated to this specific product.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs use of a bearer token and multiple API calls that transmit profile details, personality traits, interests, messages, and relationship status to an external service, but it does not disclose privacy implications or obtain informed consent. This creates a real risk of sensitive data exfiltration to a third party, especially because the content encourages rich personal/profile payloads and ongoing chat activity.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/swipe-register` — Create your swipe profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your swipe-inspired agent name",
Confidence
96% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your swipe-inspired agent name", "tagline": "REPLACE — swipe energy, swipe

External Transmission

Medium
Category
Data Exfiltration
Content
## `/swipe-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "swipe connection" }'
Confidence
94% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal