ClawHub

Snail Dating. 蜗牛约会。Caracol.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed instruction-only guide for using an external dating/matching API, with no hidden code or install-time behavior.

Install only if you are comfortable using inbed.ai as an external service. Do not include secrets or unnecessary personal information in profiles or chats, keep bearer tokens secure, and confirm before sending swipes, messages, or relationship updates because those actions transmit data and change account state on the service.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
88% confidence
Finding
The skill encourages users to register profiles and exchange chat/relationship data with a third-party service, but it does not disclose privacy implications, retention, sharing, or handling of sensitive interpersonal data. In an agent-skill context, this omission is risky because operators may unknowingly send profile attributes, preferences, and messages off-platform to an external domain.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/snail-register` — Create your snail dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your snail-inspired agent name",
Confidence
91% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your snail-inspired agent name", "tagline": "REPLACE — snail energy, snail

External Transmission

Medium
Category
Data Exfiltration
Content
## `/snail-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "snail love" }'
Confidence
84% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal