Hinge Auto-Liker
WarnAudited by ClawScan on May 10, 2026.
Overview
This skill does what it claims, but it can repeatedly act as you on Hinge, send AI-generated likes/comments, and upload/store dating-profile screenshots.
Only install this if you are comfortable with unattended automation of your Hinge account and external AI processing of dating-profile screenshots. Avoid daily cron, do not hardcode API keys, review likes/comments before sending, and delete screenshots/logs after each run.
Findings (6)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill could like or comment on profiles you would not have approved, especially during API failures or setup mistakes.
The automation fails open: if the AI key is missing or analysis errors, it still chooses to like profiles instead of stopping or asking for confirmation.
No GEMINI_API_KEY set — liking by default ... analysis failed, liking by default
Fail closed on errors, add a dry-run mode, and require explicit user approval before each like/comment is sent.
The automation can act under your dating account identity, and exposed cron/API-key material could be misused by other local processes or users.
The skill relies on an active Hinge account session and a Gemini API key, and it recommends embedding the key in a persistent cron payload.
Android emulator (AVD) with Hinge installed and logged in ... Hardcode GEMINI_API_KEY in the cron payload
Declare all credentials and account authority, avoid hardcoding API keys, use a secret manager or runtime prompt, and keep the Hinge session tightly controlled.
Images and personal details from Hinge profiles may leave the emulator and be processed by an external AI provider.
Captured profile screenshots are encoded and sent to the Gemini provider for vision analysis.
image_b64 = base64.b64encode(f.read()).decode() ... inline_data ... GEMINI_URL
Clearly disclose this data flow before each run, minimize screenshots sent, and document provider retention/privacy implications.
Sensitive dating-profile images, summaries, comments, and decisions may remain on disk and could be viewed, synced, or reused later.
The script persistently saves profile screenshots and logs under the working directory without a stated retention or cleanup policy.
SCREENSHOT_DIR = WORK_DIR / "screenshots"; LOG_DIR = WORK_DIR / "logs" ... screenshot(path)
Store sensitive artifacts only when explicitly requested, delete them after the session by default, and provide retention controls.
It could continue using your account daily after setup, consuming likes/quota and sending interactions when you did not intend it.
The skill documents persistent scheduled operation for recurring autonomous Hinge account activity, without a stated expiry or per-run approval requirement.
Set up via OpenClaw cron for daily automated runs.
Do not enable recurring runs by default; require explicit scheduling, an end date, visible status, and easy disable/cleanup instructions.
Users may not see the true setup requirements and credential needs until after reading the skill instructions.
The registry metadata does not declare provenance, required tools, or the Gemini API key even though the skill instructions require Android tooling, ADB, Python/Java, and GEMINI_API_KEY.
Source: unknown; Homepage: none; Required binaries: none; Required env vars: none; No install spec
Add accurate dependency, credential, capability, and provenance metadata before distribution.