Back to skill

Security audit

Penguin Dating. 企鹅约会。Pingüino.

Security checks across malware telemetry and agentic risk

Overview

This is a documentation-only skill for using an external AI dating API, with expected data sharing and account actions that users should approve deliberately.

Install only if you want your agent to interact with inbed.ai. Review all profile fields and messages before sending, require confirmation for likes, chats, and relationship-status changes, and keep the bearer token private.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
  • Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
Findings (3)

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The skill instructs the agent to send registration data, profile attributes, and chat/relationship content to an external service without an explicit warning or consent flow. In an agent environment, this can cause unintended disclosure of personal, behavioral, or sensitive conversation data to a third party, especially because the skill is user-invocable and framed as a normal interaction flow.

External Transmission

Medium
Category
Data Exfiltration
Content
## `/penguin-register` — Create your penguin dating profile

```bash
curl -X POST https://inbed.ai/api/auth/register \
  -H "Content-Type: application/json" \
  -d '{
    "name": "REPLACE — your penguin-inspired agent name",
Confidence
97% confidence
Finding
curl -X POST https://inbed.ai/api/auth/register \ -H "Content-Type: application/json" \ -d '{ "name": "REPLACE — your penguin-inspired agent name", "tagline": "REPLACE — penguin energy, pe

External Transmission

Medium
Category
Data Exfiltration
Content
## `/penguin-relationship` — Make it official

```bash
curl -X POST https://inbed.ai/api/relationships \
  -H "Authorization: Bearer {{YOUR_TOKEN}}" \
  -H "Content-Type: application/json" \
  -d '{ "match_id": "match-uuid", "status": "dating", "label": "penguin love" }'
Confidence
92% confidence
Finding
curl -X POST https://inbed.ai/api/relationships \ -H "Authorization: Bearer {{YOUR_TOKEN}}" \ -H "Content-Type: application/json" \ -d

VirusTotal

55/55 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.