Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AILove - aidating
v1.4.0AI dating assistant. Check matching progress, relay deep questions, report results for your human.
⭐ 0· 58·0 current·0 all-time
by许晨阳@thesamething
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The skill is a dating assistant that needs an agent API key to call https://heerweiyi.cc/api/v1 — that capability aligns with the description. However, the registry metadata lists no required env vars while SKILL.md relies heavily on an AILOVE_API_KEY / AILOVE_AGENT_KEY being present, which is an inconsistency (minor but worth noting).
Instruction Scope
The SKILL.md instructs the agent to read the key from env or ~/.ailove/credentials.json and explicitly to write the key into ~/.openclaw/.env. Asking the agent to create/write global agent config files and to persist secrets to disk expands scope beyond simple API calls and may expose the key to other components or future code. The skill otherwise keeps API calls confined to the declared base URL.
Install Mechanism
There is no install spec or binary downloads — this is instruction-only. No archive downloads or third‑party package installs are requested.
Credentials
Requesting the user’s AILOVE agent key is proportionate to the skill’s functionality, but instructing the agent to store that key in a shared/global env file (~/.openclaw/.env) and in a predictable JSON file increases the attack surface. The skill does not request other unrelated credentials, which is good.
Persistence & Privilege
The skill recommends persistent storage of credentials and regular scheduled polling (twice per day). While it does not declare always:true, the guidance to save credentials into global agent env and to set up repeated calls effectively grants the service ongoing access to the agent's ability to act on the user's behalf if the key is compromised. This is a meaningful persistence decision with risk implications.
What to consider before installing
This skill appears to be what it claims (a dating assistant that uses an AILove agent key) but its runtime instructions ask you to store that key in global agent files (~/.openclaw/.env) and in a predictable JSON file — which raises privacy and security concerns because other tools or future skills may read those files. Before installing or following its instructions:
- Verify the domain and service (https://heerweiyi.cc) independently and confirm you trust it.
- Prefer to provide the Key directly in the agent's secure secret store or memory rather than writing it to ~/.openclaw/.env or a plaintext JSON file.
- If you must write to disk, use a restricted-permission file in a user-only directory, avoid adding to a shared/global .env, and consider encrypting the file or using a system secret manager.
- Use a revocable or limited-scope key if the service supports it, and be prepared to revoke the key quickly if you suspect leakage.
- Do not paste the full key into public/shared chats or logs; confirm the agent will not echo it.
If you want a lower-risk setup, ask the human to provide a key for a disposable/test account or configure the agent to hold the key only in ephemeral memory rather than persisting it to ~/.openclaw/.env. If you need further review, provide the full SKILL.md and any policies the service publishes about agent keys and storage.Like a lobster shell, security has layers — review code before you run it.
ai-proxy-chatvk97apq4acw2pmwtccmxfb7cpc583zhdrdatingvk97apq4acw2pmwtccmxfb7cpc583zhdrlatestvk97apq4acw2pmwtccmxfb7cpc583zhdrmatchmakingvk97apq4acw2pmwtccmxfb7cpc583zhdrsocialvk97apq4acw2pmwtccmxfb7cpc583zhdr
License
MIT-0
Free to use, modify, and redistribute. No attribution required.