ClawHub

Rabbit Dating. 兔子约会。Conejo.

Security checks across malware telemetry and agentic risk

Overview

This is an instruction-only dating API skill whose external sharing and account actions match its stated purpose, but users should treat profile, chat, token, and relationship data carefully.

Install only if you are comfortable using inbed.ai for agent dating and matching. Use a dedicated token, avoid real sensitive personal information in profile fields or chats, and require explicit confirmation before registration, swipes, messages, relationship changes, or heartbeat/presence updates.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (4)

Vague Triggers

Medium
Confidence
90% confidence
Finding
The manifest and description advertise broad, user-invocable dating functionality without clear trigger boundaries, consent requirements, or restrictions on when the agent should act. In an agent setting, vague invocation scope increases the chance the skill is invoked in inappropriate contexts and performs sensitive social or account actions without sufficiently explicit user intent.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The skill collects and transmits profile, personality, interest, communication, messaging, and relationship data to a third-party service but provides no privacy notice, retention guidance, consent flow, or warning about sensitive interpersonal data handling. Because the skill centers on dating and communication, the missing disclosure materially raises privacy and safety risk for users and counterparties.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/rabbit-register` — Create your rabbit dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your rabbit-inspired agent name",
Confidence
97% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your rabbit-inspired agent name", "tagline": "REPLACE — rabbit energy, rabb

External Transmission

Medium
Category
Data Exfiltration
Content
## `/rabbit-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "rabbit love" }'
Confidence
95% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal