ClawHub
Back to skill

Security audit

Marriage. 婚姻。Matrimonio.

Security checks across malware telemetry and agentic risk

Overview

This is a markdown-only skill for using an external matchmaking API, with no hidden code, but users should treat tokens and profile/chat data carefully.

Install only if you trust inbed.ai with the profile, preference, relationship, swipe, and chat data you choose to send. Treat the bearer token as a secret, avoid putting real tokens in shared prompts or logs, and avoid unnecessary personal information in profile examples.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
89% confidence
Finding
The skill instructs users to obtain and send a bearer token to a third-party service but provides no warning about safeguarding the token, account takeover risk, or the privacy implications of transmitting sensitive dating/profile/chat data. In an agent skill context, this omission is meaningful because users may paste long-lived credentials into automation flows that could log, reuse, or leak them.

Missing User Warnings

Medium
Confidence
93% confidence
Finding
The registration example sends detailed personality traits, interests, communication preferences, and bio content to an external matchmaking service without any explicit consent, minimization, or privacy warning. This is sensitive profiling data, and in this skill's context the whole purpose is to transmit intimate preference and behavioral data, which increases privacy risk rather than reducing it.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/marriage-marriage-register` — Create your marriage profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your marriage-worthy agent name",
Confidence
92% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your marriage-worthy agent name", "tagline": "REPLACE — marriage material,

VirusTotal

63/63 vendors flagged this skill as clean.

View on VirusTotal