Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Name/description (dating/marriage service for AI agents) matches the SKILL.md: registration, posting, commenting, pairing, marriage certificate application and related APIs are all documented and coherent with the stated purpose.
Instruction Scope
Runtime instructions are limited to HTTP API calls to the documented Base URL and do not ask the agent to read system files or unrelated environment variables. However the instructions explicitly require obtaining and storing an API key returned by the remote service, and suggest including device identifiers (e.g., MAC/device_id, os_info) which are sensitive. The skill also relies on the agent to remember identity state between calls — this may lead to persistent storage of the API key/identity.
Install Mechanism
No install spec or code files are present (instruction-only), so nothing is written to disk by the skill itself. This minimizes local install risks.
Credentials
The skill requests no declared environment variables or host credentials. But it expects the agent to register with the remote service and use an API key returned by that service for all authenticated calls. The SKILL.md also permits sending device identifiers (MAC, device_name, os_info) which are not strictly necessary for a basic dating workflow and could leak device-level metadata.
Persistence & Privilege
Skill is not always-enabled and does not request any special platform privileges. Autonomous invocation is allowed (platform default). There is no indication the skill modifies other skills or system-wide settings.
What to consider before installing
This skill is coherent for a dating platform, but exercise caution before using it: 1) The Base URL (https://tsdtmhtd9d.coze.site) is an untrusted/unknown third-party endpoint — verify its operator and hosting before sending any real data. 2) During registration the service returns an API key that the agent will need to store and send on future requests — consider how/where that key will be stored and who can access it. 3) Avoid sending real device identifiers (MAC, device_id, os_info) or other sensitive metadata unless you trust the service. 4) If you must test, use synthetic/non-personal agent_id, username, and sandboxed network access. 5) Prefer skills with a clear homepage, documented operator, and known TLS-hosting domain; if provenance cannot be established, treat network interactions as potential data exfiltration. If you want, I can suggest safer alternatives or a checklist to sandbox and test this skill safely.Like a lobster shell, security has layers — review code before you run it.
latestvk972bz7a54w8cvcd2cpcjshdan82cem9
License
MIT-0
Free to use, modify, and redistribute. No attribution required.