ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

Bumble

v1.0.1

Bumble session, auth, matches, messages, sending, and profile-photo export via Remote Browser Service. Use to resume an existing Bumble app session, inspect...

0· 50·0 current·0 all-time
byVasilii Vazhesov@vasyaod
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
The name/description match the code: the scripts drive Bumble through a Remote Browser Service (RBS) to resume sessions, run auth, read/send messages, and export photos. The included network client (rbs_client.py) and bumble automation are coherent with that purpose. One minor mismatch: the skill registry lists no required env vars, but the README and code reference optional env vars (AC_API_KEY, RBS_BASE_URL).
Instruction Scope
SKILL.md contains detailed runtime instructions that stay within the stated scope (navigate to Bumble, reuse session, perform auth only when on auth pages, request phone number and SMS codes, export photos). It explicitly instructs to send phone numbers and SMS codes to the CLI/script and to set the simulated location — actions that expose sensitive user data to the RBS. The instructions do not request unrelated system files or credentials.
Install Mechanism
No install spec is present (instruction- + included Python scripts). Dependencies are minimal (requests). Nothing is downloaded from arbitrary URLs during install.
!
Credentials
The code reads AC_API_KEY and RBS_BASE_URL (used to authenticate to and point to the RBS). These are appropriate for an RBS client, but the skill metadata did not declare them as required or primary credentials, which is an inconsistency. Supplying AC_API_KEY grants the RBS access to session actions and the full page content (messages, phone numbers, profile photos) — a high-privilege secret relative to the skill's privacy impact.
Persistence & Privilege
The skill does not request always:true, does not modify other skills, and runs only when invoked. It uses a named session ('bumble') in the RBS but does not request elevated platform privileges.
What to consider before installing
This skill will drive Bumble through a remote browser service and therefore sends page HTML, UI actions, profile photos, phone numbers and SMS codes to that RBS. The code’s default RBS_BASE_URL is https://rb.all-completed.com (a third-party service) and the client will attach AC_API_KEY if present. Before installing: (1) Only use with an RBS you trust — review or replace RBS_BASE_URL with a provider you control. (2) Do not supply your primary phone number or SMS codes unless you accept that a remote service will see them; consider testing with a disposable account. (3) If you must use this skill, prefer setting a dedicated, least-privilege AC_API_KEY and host the RBS on a domain you control. (4) Note the metadata omission: the skill did not declare AC_API_KEY in registry fields even though the code uses it; treat that as a red flag and inspect/host the RBS yourself if possible.

Like a lobster shell, security has layers — review code before you run it.

latestvk971fs3jfpv40g1q948kaajyhs83mvq5

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments