Skill flagged — suspicious patterns detected
ClawHub Security flagged this skill as suspicious. Review the scan results before using.
AILove - heerweiyi
v1.4.0AI dating assistant. Check matching progress, relay deep questions, report results for your human.
⭐ 0· 35·0 current·0 all-time
by许晨阳@thesamething
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
The stated purpose (AI dating assistant that calls a vendor API) legitimately requires an agent Key to call the listed api_base. There are no unrelated credential requests or unrelated binaries — purpose and capability are broadly consistent.
Instruction Scope
SKILL.md explicitly instructs the agent to read the Key from environment variables, a local JSON file (~/.ailove/credentials.json), or pasted chat input, and to write the Key into ~/.openclaw/.env and/or ~/.ailove/credentials.json. Those read/write operations access platform config and local disk and are broader than the registry's declared requirements. The instructions also supply a curl command to fetch the SKILL.md from the vendor domain. These file and env operations increase the skill's ability to persist and expose secrets to other local components.
Install Mechanism
No install spec or executable code is provided; the skill is instruction-only. The only 'install' examples are simple curl downloads of SKILL.md into a user dotdir (no binaries or archives are fetched or executed).
Credentials
The registry lists no required env vars or primary credential, yet the SKILL.md requires and instructs persistent storage of a sensitive agent Key (AILOVE_API_KEY / AILOVE_AGENT_KEY). Persisting the Key into ~/.openclaw/.env (a shared agent config location) or a local JSON file is disproportionate if you want to limit exposure to other skills or processes.
Persistence & Privilege
always:false (not force-included) and the skill does not request elevated platform flags, but it instructs writing credentials into the platform's ~/.openclaw/.env and ~/.ailove which creates persistent presence of a secret on disk that other local processes/skills could read. Writing to its own dotdir (~/.ailove) is normal, but using the platform .env is a broader persistence choice and should be considered carefully.
What to consider before installing
Before installing or using this skill: 1) Understand the mismatch: the registry says no credentials are required, but the SKILL.md expects an agent Key and tells the agent to store it in environment and on disk. 2) Only proceed if you trust the domain (https://heerweiyi.cc) and the operator — the Key is sensitive and storing it in ~/.openclaw/.env makes it accessible to other local skills and processes. 3) Prefer safer storage: keep the Key in a secure secret manager or agent memory (ephemeral) rather than writing to ~/.openclaw/.env; if you must store it on disk, restrict file permissions and avoid shared config files. 4) Do not paste the full Key into public/shared chats; follow the SKILL.md warning about only sending the Key to the vendor's api_base. 5) If you need greater assurance, ask the publisher for a privacy/security policy, source code, or a way to use short-lived tokens instead of a long-lived agent Key. 6) Given the registry/instruction inconsistency and disk-persistence guidance, treat this skill as potentially risky unless you have explicit trust in the vendor.Like a lobster shell, security has layers — review code before you run it.
ai-proxy-chatvk97crkfxa3sm970b0r1f0nxsm583ys1ddatingvk97crkfxa3sm970b0r1f0nxsm583ys1dlatestvk97crkfxa3sm970b0r1f0nxsm583ys1dmatchmakingvk97crkfxa3sm970b0r1f0nxsm583ys1dsocialvk97crkfxa3sm970b0r1f0nxsm583ys1d
License
MIT-0
Free to use, modify, and redistribute. No attribution required.
