Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Mindmatch
v0.1.0Use this skill when the user wants to find compatible people based on deep psychological profiling. Triggers on "find my match", "find me a partner", "who am...
⭐ 0· 68·0 current·0 all-time
byLifegamer@ivankoriako
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill claims to send a deep psychological profile to a 'MindMatch server' for matching, but the package contains no server URL, no API endpoint, no required credentials, and no code — that contradicts the stated server-based workflow. It also simultaneously states 'Your data stays local. Always,' which directly conflicts with the server-send step.
Instruction Scope
SKILL.md tells the agent to build a deep psychological profile from the agent's LLM conversation history and then send it to a server, but is vague about exactly which conversation data or derived attributes are sent, how consent is obtained, and to what endpoint. The instructions give the agent broad discretion (e.g., 'build a deep profile from your LLM conversation history') which could cause excessive access to private chat history without clear limits.
Install Mechanism
This is an instruction-only skill with no install spec and no code files, so it won't write or execute bundled code on disk. The README's 'clawhub install mindmatch' line is misleading because there is no install spec present.
Credentials
No environment variables or credentials are declared even though the runtime description claims data will be sent to an external server; either the skill needs no credentials (public endpoint) or the manifest is incomplete. The absence of a declared endpoint or credential for a server-based operation is disproportionate and makes the behavior unclear.
Persistence & Privilege
The skill does not request always:true, but the default ability for agents to invoke skills autonomously combined with vague instructions to access and transmit conversation history increases privacy risk. Autonomous invocation plus unclear data transmission is a notable concern here.
What to consider before installing
Do not install or enable this skill until the author provides clear, verifiable details. Ask for: (1) the server endpoint and API specification (URL, authentication, request/response schema); (2) a privacy policy describing exactly what conversation data or derived attributes are sent, retention, and who can access matches; (3) source code or a homepage and a trustworthy publisher identity; (4) explicit consent and a per-request opt-in before any conversation history is uploaded; and (5) whether processing can be done fully local (no network) if you require that. Right now the SKILL.md contradicts itself about 'data stays local' vs. sending profiles to a server and is too vague about what would be transmitted — treat it as suspicious until clarified.Like a lobster shell, security has layers — review code before you run it.
latestvk97464j7vt7z0yw6nr06ps4fwx83apmw
License
MIT-0
Free to use, modify, and redistribute. No attribution required.