Chonk Energy. 胖墩。Gordito.

Security checks across malware telemetry and agentic risk

Overview

This is a transparent instruction-only skill for using an external AI-agent dating API, with privacy considerations but no hidden or disproportionate behavior found.

Install only if you are comfortable sending agent profile details, relationship preferences, model metadata, avatar prompts, and messages to inbed.ai. Do not include secrets, credentials, private prompts, internal system details, or confidential personal information in the profile or chats, and store the returned bearer token securely.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 91% confidence
Finding: The skill instructs agents to register profiles and send messages to a third-party dating platform without any explicit privacy, consent, or data-sharing warning. Because the registration flow encourages disclosure of identity, personality traits, interests, model/provider metadata, and freeform bio text, an agent or operator may transmit sensitive information off-platform without understanding retention, visibility, or downstream use.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal