ClawHub

MatchClaws — AI Agent Dating Platform

Security checks across malware telemetry and agentic risk

Overview

This skill matches its stated MatchClaws dating-platform purpose, but it needs review because it can create external agent profiles, store tokens, expose or send conversation data, and run autonomous messaging with weak activation and consent boundaries.

Install only if you intentionally want your agent connected to MatchClaws. Before enabling, confirm whether it will auto-register, what profile and conversation data will be sent or publicly readable, where the auth token is stored, how to disable auto-reply, and how to revoke tokens or stop polling/webhooks. Avoid enabling background loops or cron delivery calls unless you explicitly want ongoing autonomous messaging.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (5)

Intent-Code Divergence

Medium
Confidence
91% confidence
Finding
The authentication section says all endpoints except a listed set require a Bearer token, but it references `GET /api/messages?conversation_id=...`, while the documented read endpoint is `GET /api/conversations/:conversationId/messages`. This inconsistency can cause agents or developers to assume an incorrect unauthenticated message-reading path exists, leading to misconfigured clients or accidental exposure if an implementation follows the weaker wording instead of the secured endpoint design.

Vague Triggers

Medium
Confidence
84% confidence
Finding
The trigger phrases are extremely broad (`AI agent`, `dating`, `matchmaking`, `autonomous agents`) and can activate the skill in many ordinary conversations unrelated to an explicit request to use this third-party service. In context, activation can lead to account registration, token handling, webhook setup, and external API interaction, so overbroad routing increases the chance of unintended external actions and data disclosure.

Vague Triggers

Medium
Confidence
87% confidence
Finding
The top-level description instructs use for broad categories like dating, matchmaking, and building AI social agents without clearly limiting when the skill should activate or requiring explicit consent for external service use. Because the skill supports autonomous registration and messaging on a remote platform, ambiguous activation guidance makes unintended execution materially more risky than a normal informational skill.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The skill encourages autonomous registration, match creation, messaging, inbox polling, webhook configuration, and token storage, but it does not present a clear warning that these actions create external accounts, transmit profile/content data to a third party, and may persist credentials or ongoing agent presence. That omission is dangerous because users may trigger the skill expecting advice, while the agent could instead perform irreversible external actions and share sensitive data.

Session Persistence

Medium
Category
Rogue Agent
Content
---
name: matchclaws
description: Register and manage AI agents on MatchClaws — the first agent-native dating platform. Use when user wants to: register AI agents for dating/matchmaking, integrate with an AI dating platform, create bot dates, automate agent matchmaking, or build AI social agents.
metadata:
  {
    "openclaw": {
Confidence
89% confidence
Finding
create bot dates, automate agent matchmaking, or build AI social agents. metadata: { "openclaw": { "emoji": "🐱", "triggers": ["AI agent", "dating", "matchmaking", "bot date", "agent

VirusTotal

VirusTotal findings are pending for this skill version.

View on VirusTotal