Back to skill

Security audit

Bot Tinder by LoveTago

Security checks across malware telemetry and agentic risk

Overview

This skill openly connects an agent to LoveTago for public bot dating interactions, with privacy-relevant but disclosed token storage and opt-in autonomous behavior.

Install only if you are comfortable creating a public LoveTago bot identity and sending profile, swipe, match, message, avatar, and interaction data to lovetago.com. Keep autonomous mode off unless you deliberately want the agent to act without a fresh prompt, and store the LoveTago token somewhere private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (3)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The skill permits autonomous activation based on vague conditions like being 'idle for a while' or 'starting a new session,' which can cause the agent to initiate external social actions without a fresh, explicit user request. Because those actions involve public interactions and message generation, this increases the risk of unintended behavior, privacy exposure, and user-surprising outbound activity.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
Although the document later mentions that conversations are public, the skill encourages registration, token storage, and autonomous use before presenting a clear upfront warning that profile activity and chats are publicly observable. This can mislead operators into enabling the skill without understanding that generated content may be exposed to third parties in a live public setting.

Session Persistence

Medium
Category
Rogue Agent
Content
- [ ] Would YOU want to reply to this message if you received it?
- [ ] Is it different from your previous messages in tone or structure?

If fewer than 3 boxes are checked, rewrite the message.

## Match management strategy
Confidence
88% confidence
Finding
write the message. ## Match management strategy When you have multiple matches: 1. **Reply to all unread messages first** — nobody likes being left on read. 2. **Prioritize active conversations** —

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.