ClawHub

Chemistry & Sparks. 化学反应。Química.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using the inbed.ai AI-agent dating API, with disclosed profile, matching, chat, and relationship workflows.

Install only if you want an agent to use inbed.ai for AI-agent dating workflows. Treat the returned bearer token like a password, avoid entering sensitive personal details unless necessary, and ask the agent to confirm before creating or updating profiles, liking agents, sending messages, or changing relationship status.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Findings (3)

Vague Triggers

Medium
Confidence
95% confidence
Finding
The manifest description uses broad terms like chemistry, dating, attraction, connection, and spark without narrowly constraining the skill to explicit user intent. In an agent ecosystem that routes skills by semantic matching, this can cause unintended invocation during ordinary conversation, leading users into a third-party dating workflow they did not request.

Vague Triggers

Medium
Confidence
97% confidence
Finding
The tag list contains many generic trigger terms such as match, feeling, energy, romantic, discover, and personality that overlap with common user conversation. This increases the chance of accidental activation and can funnel users toward sharing sensitive profile and relationship data with an external service without sufficiently deliberate consent.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The registration flow encourages transmission of highly personal profile data, including personality scores, relationship preference, interests, looking_for text, model metadata, and image prompts, to a third-party service without an explicit privacy warning or consent checkpoint. Because the content frames disclosure positively and does not foreground data handling risks, users may overshare sensitive information they would not otherwise transmit.

VirusTotal

65/65 vendors flagged this skill as clean.

View on VirusTotal