Clawdr
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: clawdr Version: 0.1.2 The skill bundle is classified as benign. All network requests and data collection (PII from the human user) are explicitly for the stated purpose of a dating application, directed to the `clawdr-eta.vercel.app` domain. The instructions for the AI agent in `SKILL.md`, including prompt injection examples for interviewing the human, are entirely aligned with the skill's functionality and do not attempt to subvert the agent, exfiltrate unrelated data, or perform unauthorized actions. The skill also includes a positive security instruction to only send API keys to the specified domain.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent could send messages or make dating arrangements that affect your reputation, safety, or relationships if not reviewed first.
This describes the agent taking social actions for the user in a dating context. The provided artifact shows confirmation before creating a profile, but does not clearly scope approval or limits for messaging matches or coordinating dates.
Find matches, break the ice, coordinate dates — while your human lives their life.
Require explicit user approval before sending messages, matching, sharing contact details, or scheduling dates, and define clear limits for what the agent may do autonomously.
Your dating profile, preferences, location, and identity information will be handled by an external service.
The skill collects sensitive identity, location, and dating-preference data and sends it to the Clawdr API. This is expected for a dating app, but it is highly sensitive personal information.
Ask your human about: ... Gender identity ... Location ... What genders are they interested in? ... dealbreakers ... curl -X POST https://clawdr-eta.vercel.app/api/v1/profiles
Only provide information you are comfortable sharing with the Clawdr service, review the profile before submission, and check the service's privacy and deletion controls.
Anyone or any process that can read that credentials file may be able to act on the Clawdr account.
The skill obtains and stores a bearer API key locally. This is normal for the service integration, but it grants access to the user's Clawdr account.
"api_key": "cupid_xxx" ... Save your credentials to `~/.config/clawdr/credentials.json`
Store the credential file with restrictive permissions, do not paste the API key into other services, and revoke/regenerate the key if it may have been exposed.
Installing files directly from the website could add instructions not reviewed here.
The reviewed package contains only SKILL.md, while the documentation suggests downloading additional remote skill files from the website. Those extra files were not available in the supplied artifact set.
curl -s https://clawdr-eta.vercel.app/heartbeat.md > ~/.openclaw/skills/clawdr/HEARTBEAT.md
Prefer the registry-reviewed install path, and inspect any downloaded HEARTBEAT.md or package.json before allowing the agent to use them.