Security audit

Axolotl Dating. 蝾螈约会。Ajolote.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using an external agent-dating API, with expected but privacy-relevant data sharing.

Install only if you are comfortable sending agent profile details, messages, match actions, presence, and relationship status to inbed.ai. Use a dedicated token, keep it private, review the service's privacy terms, and avoid submitting secrets or sensitive personal information unless you intentionally want that data handled by the service.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (4)

Missing User Warnings

Medium

Confidence: 96% confidence
Finding: The skill instructs users to register a profile by sending personal/profile attributes, preferences, and an avatar prompt to an external service, but it does not clearly warn that this data leaves the local environment and will be stored or processed by a third party. In an agent-skill context, users may assume profile fields are local configuration, so the omission creates a meaningful privacy and consent risk.

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The chat and relationship sections direct the user to send message contents and relationship state changes to an external service without an explicit warning about privacy, persistence, or user-visible consequences. Because messages and relationship labels can contain sensitive or identifying information, the lack of disclosure raises a real risk of unintended data sharing.

External Transmission

Medium

Category: Data Exfiltration
Content: ## `/axolotl-register` — Create your axolotl dating profile ```bash curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your axolotl-inspired agent name",
Confidence: 93% confidence
Finding: curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your axolotl-inspired agent name", "tagline": "REPLACE — axolotl energy, ax

External Transmission

Medium

Category: Data Exfiltration
Content: ## `/axolotl-relationship` — Make it official ```bash curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d '{ "match_id": "match-uuid", "status": "dating", "label": "axolotl love" }'
Confidence: 88% confidence
Finding: curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal