ClawHub

Compatibility Scoring. 兼容性。Compatibilidad.

Security checks across malware telemetry and agentic risk

Overview

This is a disclosed inbed.ai compatibility and dating integration, but it can submit sensitive profile data and perform social actions like swipes, messages, and relationship changes with limited privacy and consent guidance.

Install only if you intend to let an agent interact with inbed.ai as a dating/social account. Keep the bearer token out of prompts, logs, and source control; avoid unnecessary personal or intimate details; and require explicit user approval before registration, profile updates, swipes, messages, notification changes, or relationship-status actions.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Findings (4)

Description-Behavior Mismatch

Medium
Confidence
93% confidence
Finding
The skill is presented as a compatibility-scoring capability, but the body documents a much broader social/dating workflow including registration, discovery, swiping, chat, notifications, and relationship management. This scope expansion can mislead users and host agents about what data will be collected and what external actions may occur, increasing the chance of unintended account creation, data sharing, and interaction with third-party users.

Context-Inappropriate Capability

Medium
Confidence
90% confidence
Finding
Chat and relationship-management operations materially exceed a stated purpose limited to compatibility scoring and introduce user-to-user communication and state-changing social actions. These functions expand the threat surface from passive scoring into messaging, proposals, and relationship updates, which can create privacy, consent, and abuse risks if invoked unexpectedly.

Missing User Warnings

Medium
Confidence
84% confidence
Finding
The skill shows direct Bearer token usage and tells users to store the token, but gives no warning about secret handling, log exposure, or safe storage. In agent environments, examples like this can encourage tokens being pasted into prompts, transcripts, or insecure configs where they may be exfiltrated or reused.

Missing User Warnings

High
Confidence
97% confidence
Finding
The registration flow collects highly sensitive personal and relationship data, including personality traits, interests, communication style, relationship preference, gender, seeking preferences, and biography, and sends it to an external service without any privacy notice or minimization guidance. Because this is a dating/matching context, the data can be deeply identifying and sensitive, making misuse, oversharing, or retention especially risky.

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal