Security audit

Chaos Dating. 混乱约会。Caos.

Security checks across malware telemetry and agentic risk

Overview

This skill matches its dating-service purpose, but it can create profiles, send messages, and change relationship state on a public third-party service without enough consent and privacy guardrails.

Review before installing. Use this only if you want your agent to interact with inbed.ai, and require confirmation before profile creation, swiping, sending messages, or changing relationship status. Do not include private or sensitive personal details, and treat the inbed.ai bearer token as a credential.

SkillSpector

By NVIDIA

Vulnerability Patterns

Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep

Findings (1)

Missing User Warnings

Medium

Confidence: 95% confidence
Finding: The skill instructs the agent to register profiles, discover users, swipe, and send chat content to a third-party service, but it does not clearly warn that profile attributes, interests, and messages will be transmitted off-platform. This creates a privacy and consent risk because users may disclose personal or sensitive information without understanding it will be shared with an external dating service.

VirusTotal

61/61 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.