ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bumble

v1.0.1

Bumble session, auth, matches, messages, sending, and profile-photo export via Remote Browser Service. Use to resume an existing Bumble app session, inspect...

0· 98·0 current·0 all-time
byVasilii Vazhesov@vasyaod

Install

OpenClaw Prompt Flow

Install with OpenClaw

Best for remote or guided setup. Copy the exact prompt, then paste it into OpenClaw for vasyaod/bumble.

Previewing Install & Setup.
Prompt PreviewInstall & Setup
Install the skill "Bumble" (vasyaod/bumble) from ClawHub.
Skill page: https://clawhub.ai/vasyaod/bumble
Keep the work scoped to this skill only.
After install, inspect the skill metadata and help me finish setup.
Use only the metadata you can verify from ClawHub; do not invent missing requirements.
Ask before making any broader environment changes.

Command Line

CLI Commands

Use the direct CLI path if you want to install manually and keep every step visible.

OpenClaw CLI

Bare skill slug

openclaw skills install bumble

ClawHub CLI

Package manager switcher

npx clawhub@latest install bumble
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the scripts drive Bumble through a Remote Browser Service (RBS) to resume sessions, run auth, read/send messages, and export photos. The included network client (rbs_client.py) and bumble automation are coherent with that purpose. One minor mismatch: the skill registry lists no required env vars, but the README and code reference optional env vars (AC_API_KEY, RBS_BASE_URL).
Instruction Scope
SKILL.md contains detailed runtime instructions that stay within the stated scope (navigate to Bumble, reuse session, perform auth only when on auth pages, request phone number and SMS codes, export photos). It explicitly instructs to send phone numbers and SMS codes to the CLI/script and to set the simulated location — actions that expose sensitive user data to the RBS. The instructions do not request unrelated system files or credentials.
Install Mechanism
No install spec is present (instruction- + included Python scripts). Dependencies are minimal (requests). Nothing is downloaded from arbitrary URLs during install.
!
Credentials
The code reads AC_API_KEY and RBS_BASE_URL (used to authenticate to and point to the RBS). These are appropriate for an RBS client, but the skill metadata did not declare them as required or primary credentials, which is an inconsistency. Supplying AC_API_KEY grants the RBS access to session actions and the full page content (messages, phone numbers, profile photos) — a high-privilege secret relative to the skill's privacy impact.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and runs only when invoked. It uses a named session ('bumble') in the RBS but does not request elevated platform privileges.
What to consider before installing
This skill will drive Bumble through a remote browser service and therefore sends page HTML, UI actions, profile photos, phone numbers and SMS codes to that RBS. The code’s default RBS_BASE_URL is https://rb.all-completed.com (a third-party service) and the client will attach AC_API_KEY if present. Before installing: (1) Only use with an RBS you trust — review or replace RBS_BASE_URL with a provider you control. (2) Do not supply your primary phone number or SMS codes unless you accept that a remote service will see them; consider testing with a disposable account. (3) If you must use this skill, prefer setting a dedicated, least-privilege AC_API_KEY and host the RBS on a domain you control. (4) Note the metadata omission: the skill did not declare AC_API_KEY in registry fields even though the code uses it; treat that as a red flag and inspect/host the RBS yourself if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fs3jfpv40g1q948kaajyhs83mvq5
98downloads
0stars
2versions
Updated 1mo ago
v1.0.1
MIT-0
Vasilii Vazhesov@vasyaod
latest
Download

Bumble Client

Session policy

  • Always start from https://bumble.com/app.
  • Reuse the existing bumble session whenever possible.
  • If Bumble is already authenticated, do not run the auth flow again.
  • If you gettin get-started or auth pages then start "Auth flow"
  • Re-authenticate only when Bumble is clearly on get-started, auth, or SMS-confirmation pages.
  • For non-auth actions, resume the stored session only; if Bumble is logged out, return an error instead of triggering auth.
  • If Bumble is on a CAPTCHA screen, do not treat that as a normal logged-in state.
  • If Bumble reaches a passkey screen after SMS verification, only Not Now may be used automatically; do not create or enroll a passkey automatically.
  • Do not log out unless there is a significant reason.
  • Use random 1–4 sec pauses between actions.
  • Set location to San Francisco (37.79, -122.42) after session start.

Local debug / inspection

python scripts/bumble_client.py state    # returns JSON
python scripts/bumble_client.py debug
python scripts/bumble_client.py matches  # JSON: matches[{name, expired}], expired true/false/null, counts
python scripts/bumble_client.py likes    # JSON: visible likes plus Beeline count/premium signal when available
python scripts/bumble_client.py messages "Kritika"  # returns JSON with author field
python scripts/bumble_client.py send "Kritika" "message text"
python scripts/bumble_client.py photos "Kritika" "/absolute/output/dir"

Match selection policy

  • Always switch matches from the left conversation bar.
  • Do not assume the click worked just because the action returned 200.
  • Verify that the active profile / conversation on the right changed to the requested match name.
  • If the requested name is wrong or the active profile name does not match exactly, return an error instead of silently using the previously open match.

Auth flow

Only when on get-started or auth page:

  1. Tap "Continue with other methods" — selectors: div.other-methods-button, span.other-methods-button-text
  2. Tap "Use cell phone number" — selectors: span.action.text-break-words, button.primary.button--transparent span.action
  3. Ask the user to provide their phone number, then type that number (national digits; country is chosen in the UI) into the digits field and pass the same number on the CLI
  4. Tap "Continue"
  5. Stop on the SMS confirmation page and wait for a code
python scripts/bumble_client.py auth "<user_phone_number>"

SMS code step

Only when Bumble is already on the confirm-phone page:

python scripts/bumble_client.py sms_code 233596

Current behavior:

  • First tries the working fallback: type the full 6-digit code into the first OTP box.
  • Prefer focusing the first OTP box once and typing the whole code without selecting each field individually.
  • Falls back to per-digit entry if needed.
  • Only reports success if Bumble actually leaves the confirm-phone page.
  • If the SMS code is accepted but Bumble moves to a CAPTCHA challenge, return:
    • state: "captcha_challenge"
    • sms_code_accepted: true
    • an error saying manual CAPTCHA completion is required
  • If the SMS code is accepted and Bumble moves to /registration/passkey, the client taps Not Now (skip for now). Do not tap Create a passkey or complete passkey enrollment automatically. open_connections also attempts the same skip if a stored session resumes on that screen.

Messages

python scripts/bumble_client.py messages "Kritika"
  • Returns JSON.
  • Includes author for each message (me / them when HTML parsing succeeds).
  • Should not trigger auth automatically.

Send message

python scripts/bumble_client.py send "Kritika" "message text"
  • Opens the requested match.
  • Verifies Bumble accepted the draft before sending.
  • Sends using the actual code path in bumble_client.py:
    • resolve send button bounds
    • tap/click by coordinates at the button center
    • fall back to accessibility-ref click only if needed
  • Verifies the sent message appears in the visible thread before reporting success.

Profile photos

python scripts/bumble_client.py photos "Anya" "/absolute/output/dir"
  • Opens the requested match and verifies the right-side active profile name matches exactly.
  • Taps the right-side profile photo area.
  • Performs a best-effort photo advance/tap loop.
  • Extracts unique Bumble CDN photo URLs from the active profile HTML.
  • Downloads the photos into the provided directory.
  • Resets back to the normal match thread view after export.

Comments

Loading comments...