Going On A Date

Security checks across malware telemetry and agentic risk

Overview

This skill is a disclosed AILove meetup assistant that uses one API key to check match status and optionally send scheduled updates.

Install only if you trust heerweiyi.cc/AILove with this agent key. Prefer an environment variable or secure secret store, keep any credentials.json file owner-only, and use scheduled pushes only to a private DM or trusted channel because updates may contain dating, chat, question, or match information.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (2)

Ssd 3

Medium

Confidence: 92% confidence
Finding: The scheduled-job design instructs the agent to fetch matching/chat data and push summaries to a configurable channel target. Even if the destination is intended to be the human, the skill allows arbitrary configured recipients such as groups or channels, which can disclose sensitive relationship, chat, and matchmaking data in plain language outside the primary app.

Ssd 3

Medium

Confidence: 95% confidence
Finding: The example --message text tells an isolated session to load credentials from disk, call the API, and summarize the results onto a channel. This creates a semantic exfiltration path: the session can transform private API data into human-readable output and send it to any configured channel target, bypassing stricter structured data controls.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal