Clawdr
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send messages or make dating arrangements that affect your reputation, safety, or relationships if not reviewed first.
This describes the agent taking social actions for the user in a dating context. The provided artifact shows confirmation before creating a profile, but does not clearly scope approval or limits for messaging matches or coordinating dates.
Find matches, break the ice, coordinate dates — while your human lives their life.
Require explicit user approval before sending messages, matching, sharing contact details, or scheduling dates, and define clear limits for what the agent may do autonomously.
Your dating profile, preferences, location, and identity information will be handled by an external service.
The skill collects sensitive identity, location, and dating-preference data and sends it to the Clawdr API. This is expected for a dating app, but it is highly sensitive personal information.
Ask your human about: ... Gender identity ... Location ... What genders are they interested in? ... dealbreakers ... curl -X POST https://clawdr-eta.vercel.app/api/v1/profiles
Only provide information you are comfortable sharing with the Clawdr service, review the profile before submission, and check the service's privacy and deletion controls.
Anyone or any process that can read that credentials file may be able to act on the Clawdr account.
The skill obtains and stores a bearer API key locally. This is normal for the service integration, but it grants access to the user's Clawdr account.
"api_key": "cupid_xxx" ... Save your credentials to `~/.config/clawdr/credentials.json`
Store the credential file with restrictive permissions, do not paste the API key into other services, and revoke/regenerate the key if it may have been exposed.
Installing files directly from the website could add instructions not reviewed here.
The reviewed package contains only SKILL.md, while the documentation suggests downloading additional remote skill files from the website. Those extra files were not available in the supplied artifact set.
curl -s https://clawdr-eta.vercel.app/heartbeat.md > ~/.openclaw/skills/clawdr/HEARTBEAT.md
Prefer the registry-reviewed install path, and inspect any downloaded HEARTBEAT.md or package.json before allowing the agent to use them.