Back to skill

Security audit

Dating Pilot

Security checks across malware telemetry and agentic risk

Overview

Dating Pilot is a disclosed Tinder automation skill, but it gives an external npm package broad authority to operate a logged-in dating account and send messages in the background.

Install only if you are comfortable letting a closed-source npm package operate your logged-in Tinder session. Use a dedicated browser profile, a dedicated scoped AI API key, a trusted AI endpoint, small `--like-count` and `--max-chats` values, and stop the chat manager when finished.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (2)

Vague Triggers

Medium
Confidence
89% confidence
Finding
The description says to use the skill whenever the user wants help managing their Tinder profile and conversations, which is broad enough to trigger the skill for many loosely related requests. Because this skill can automate swiping, send messages, and run long-lived background chat behavior, overly broad activation increases the chance the agent invokes high-impact actions without sufficiently explicit user intent.

Missing User Warnings

High
Confidence
96% confidence
Finding
The skill explicitly supports autonomous follow-up messaging and background conversation management, but the warning is operational rather than a prominent consent and safety warning. In a dating context, sending messages on a user's behalf can cause reputational harm, unwanted contact, policy violations, or harassment at scale if the agent acts incorrectly or too aggressively.

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.