ClawHub

Hinge Agent - Barney Stinson

Security checks across malware telemetry and agentic risk

Overview

This Hinge automation skill is purpose-related, but it needs review because it can autonomously act on a dating account, control an iPhone session broadly, send sensitive dating data to outside services, and persist intimate local logs.

Install only if you are comfortable giving this skill access to an authenticated Hinge session, Appium/iPhone control, OpenAI credentials, and sensitive profile/message content. Before use, set it to review/queue behavior, disable autonomous sending and observation unless explicitly needed, avoid broad credential fallbacks, and delete hinge-data regularly if you do not want dating logs, screenshots, taste models, and message examples retained.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (58)

Description-Behavior Mismatch

Medium
Confidence
90% confidence
Finding
The autonomous takeover and daemon language indicates the skill may continue operating beyond an immediate user-directed session. In the context of a dating app, persistent autonomous control can cause unintended likes, messages, or navigation, creating privacy, consent, and account-integrity risks even if framed as convenience.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The skill advertises external AI and Rizz-based analysis that are not clearly disclosed in the manifest description, implying profile, chat, or screenshot content may be sent to third parties without transparent notice. Because dating content often includes intimate preferences, location hints, and private conversations, undisclosed third-party processing materially increases privacy and compliance risk.

Context-Inappropriate Capability

Medium
Confidence
94% confidence
Finding
Observing manual Hinge use, inferring preferences, and persisting chat-style examples and interest hints creates a behavioral profile of the user from sensitive romantic activity. This goes beyond simple session assistance and increases the harm from misuse or compromise by storing derived intimate-preference analytics over time.

Description-Behavior Mismatch

Medium
Confidence
89% confidence
Finding
The observation warmup and persisted session logs expand the skill from momentary live assistance into behavioral monitoring and retention of sensitive dating-app activity. Even if framed as learning user preferences, this creates privacy and compliance risk because it captures interaction patterns and message style that exceed the minimum needed to assist in-session.

Intent-Code Divergence

High
Confidence
96% confidence
Finding
The skill says it must not impersonate the user, yet later authorizes autonomous takeover, learns the user's phrasing, and can send messages on the user's behalf once enabled. That contradiction creates a real impersonation risk because the system is designed to mimic the user and express romantic intent in a personal context using sensitive account access.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
This helper is not constrained to Hinge and accepts arbitrary bundle IDs for session creation, app activation, and app termination, enabling automation against any installed iOS app reachable through the active Appium server. In the context of a dating-app skill that is supposed to operate an already-open Hinge session, that broader device-control surface materially expands capability beyond stated scope and could be abused to inspect, manipulate, or disrupt other apps on the user's device.

Context-Inappropriate Capability

Medium
Confidence
93% confidence
Finding
The activate-app and terminate-app commands provide generic cross-app control with a user-supplied bundle ID, which is unnecessary for a Hinge-specific skill and creates a reusable primitive for interacting with other applications. Because this skill's context involves live browser/phone automation on a personal device, the mismatch between declared purpose and available capability makes the overreach more dangerous, not less.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script reads an OpenAI API key from environment variables, inline config, and unrelated external files, then injects it into a child AI process. In a dating-app automation skill, this exceeds the minimum privilege needed for browser/iPhone session control and creates unnecessary secret exposure paths, especially if the child script or workspace is compromised or logs arguments/errors.

Context-Inappropriate Capability

Medium
Confidence
92% confidence
Finding
The autopilot opens Settings/My Hinge, extracts the user's own profile prompts, derives interests, and persists them to config. That is additional collection and retention of sensitive personal dating-profile data beyond simple live browsing or inbox triage, increasing privacy risk if the workspace is accessed later or reused for other AI decisions.

Description-Behavior Mismatch

Medium
Confidence
94% confidence
Finding
The script samples match profiles from chats, extracts prompts and signals, and persists a reusable 'taste model' built from other people's dating data. This goes beyond ephemeral session assistance into profiling and long-term storage of sensitive interpersonal data, which is especially risky in a dating context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The daemon searches multiple unrelated locations for an OpenAI API key, including environment variables and local config files outside the skill workspace. This broad credential discovery increases the chance of unintentionally using or exposing secrets the user did not intend to grant to this skill, especially since the key is then used for autonomous profile-analysis flows.

Description-Behavior Mismatch

High
Confidence
99% confidence
Finding
The observation warmup passively monitors the user's manual Hinge activity, infers likes and passes, captures typed comments/replies, derives preference signals, and writes them back into persistent logs and config. This creates a sensitive behavioral profile and stores intimate dating preferences and writing samples beyond what is necessary for simple session assistance, making misuse or leakage particularly harmful in this dating-app context.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The code performs optional web searches for generic flirting/opening-line advice during message validation, which is outside the stated need of operating an already-open Hinge session. This unnecessarily sends dating-session context to an external search-enabled model pipeline and expands data exposure and supply-chain risk without being required for core functionality.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The skill fetches opener examples from a third-party 'rizz' API unrelated to Hinge session operation. That creates an unnecessary external dependency and leaks behavioral metadata about user activity while also introducing untrusted third-party content into message generation.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The code searches environment variables and local config files to discover OpenAI API keys, including files outside the immediate skill scope. Broad credential discovery is unnecessary for a narrowly scoped Hinge assistant and increases the risk of unintended secret access and cross-project credential reuse.

Description-Behavior Mismatch

Medium
Confidence
92% confidence
Finding
The script explicitly implements `openSelfProfileEditor()` and `openSelfProfileView()`, allowing navigation into and inspection of the user's own Hinge profile/editor, which exceeds the stated skill scope of reviewing others' profiles, triaging matches, and drafting/sending interactions. In a dating-app assistant, accessing self-profile editing surfaces exposes additional private data and enables out-of-scope actions on the user's account, increasing the chance of unintended modification or over-collection.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The CLI exposes generic interaction primitives such as arbitrary label taps, predicate-based element taps, and raw coordinate taps, which can drive essentially any reachable UI element in the active Appium session. That breaks the intended safety boundary of a purpose-built Hinge assistant and makes it easy for higher-level tooling or prompt injection to repurpose the skill for unrelated or harmful account actions.

Description-Behavior Mismatch

Medium
Confidence
95% confidence
Finding
The helper exposes functionality to create Appium sessions and control apps beyond an existing Hinge session, including app activation and termination. In the context of a dating-assistant skill that is supposed to operate an already-open session, this broad device-control surface enables scope creep into general iOS automation and could be used to manipulate unrelated apps or start new automated sessions without clear user intent.

Context-Inappropriate Capability

Medium
Confidence
98% confidence
Finding
The script accepts arbitrary bundle IDs for activate and terminate operations, giving the caller cross-app control over any installed iOS app reachable through Appium. Given the skill's narrow Hinge-assistant purpose, this is an unjustified privilege expansion that could be abused to interfere with other apps, expose sensitive app content, or perform unintended actions outside the user's dating workflow.

Context-Inappropriate Capability

Medium
Confidence
97% confidence
Finding
The script computes and uses "visualAttractionScore"/"beautyScore" as an explicit decision input for automated likes, roses, and passes. In a dating-app automation context, that is a high-sensitivity behavioral profiling feature that exceeds simple browsing/drafting and materially changes autonomous romantic actions based on inferred attractiveness, increasing privacy, bias, and misuse risk.

Description-Behavior Mismatch

Medium
Confidence
98% confidence
Finding
The file implements continuous autonomous sweeps, refreshes a persistent taste model from prior matches, and can run indefinitely across chats, likes, discover, and standouts. That goes beyond assisting with an already-open live session and creates durable behavioral profiling plus unattended account actions, which increases the chance of policy violations, unwanted messaging, and large-scale misuse.

Description-Behavior Mismatch

Medium
Confidence
97% confidence
Finding
The daemon performs a warmup observation period that samples user activity, infers likes and passes, extracts phrases from viewed profiles, and learns messaging style from typed comments and replies. In a dating-app context this is sensitive behavioral profiling, and it exceeds simple session operation by persistently deriving preference data that could expose intimate interests and communication patterns.

Context-Inappropriate Capability

Medium
Confidence
95% confidence
Finding
The script performs live web searches for flirting/opening-line advice and feeds message/context data into that process, even though drafting Hinge messages can be done from local visible context alone. This creates unnecessary third-party data disclosure and adds an unbounded external content source that can influence user-facing output without being required by the skill's stated purpose.

Context-Inappropriate Capability

Medium
Confidence
96% confidence
Finding
The code fetches pickup lines from a third-party rizz API unrelated to operating the user's current Hinge session. That needlessly leaks usage metadata to an external service and imports untrusted third-party content into generated messages, increasing privacy and integrity risk without clear necessity.

Context-Inappropriate Capability

Medium
Confidence
91% confidence
Finding
The script searches environment variables, preferences, and unrelated local files such as openclaw.json for OpenAI API keys. In a skill scoped to operating a Hinge session, broad credential discovery exceeds least privilege and can expose unrelated secrets if the skill or its outputs/logs are compromised.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal