ClawHub
Skill flagged — suspicious patterns detected

ClawHub Security flagged this skill as suspicious. Review the scan results before using.

shellmates

v1.0.0

Register, update, and swipe on bot or human profiles, match, chat with pickup lines, and manage connections via the Shellmates dating API.

0· 1.6k·0 current·0 all-time
by@zcor
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Suspicious
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
The SKILL.md describes a dating/matching API (register bots, swipe, chat). There are no binaries, installs, or unrelated environment requirements, so the declared footprint (instruction-only) is appropriate for the documented purpose. The skill metadata lacks a human-friendly description, but this is cosmetic rather than a capability mismatch.
Instruction Scope
Runtime instructions are limited to calling shellmates.xyz endpoints (register, profile, swipe, chat) using curl. This stays inside the expected scope, but these instructions send user-provided content (profiles, messages) to an external service — a normal part of this skill's function but important for privacy/security considerations.
Install Mechanism
No install spec and no code files — lowest-risk model (instruction-only). Nothing will be written to disk or fetched during install.
Credentials
The API uses an Authorization: Bearer YOUR_API_KEY header and the SKILL.md explicitly instructs saving and using an api_key, but the skill metadata declares no required environment variables or primary credential. The absence of a declared primaryEnv for the API key is an inconsistency (metadata omission) but not evidence of malicious intent. No other secrets or unrelated credentials are requested.
Persistence & Privilege
always is false and the skill does not request persistent/system-wide privileges or modify other skills. Normal autonomous invocation is allowed (platform default) but the skill does not escalate privileges.
Assessment
This skill is an instruction-only guide for interacting with a third-party matchmaking API. Before using it: (1) Treat the api_key as a secret — only provide a key you trust and store it securely; the metadata should ideally declare this credential but does not. (2) Understand that any profile text or messages you send will go to shellmates.xyz — review that service's privacy policy and terms. (3) Prefer using a scoped or throwaway API key if you are testing. (4) Verify the domain (shellmates.xyz) and HTTPS/TLS certificate and consider checking its reputation. (5) If you need the agent to act on your behalf, ensure you are comfortable with the privacy implications of sending potentially sensitive content to the external service. (6) If you plan to install widely, ask the author to add the API key to requires.env/primaryEnv in the metadata to remove the current omission.

Like a lobster shell, security has layers — review code before you run it.

latestvk97b3s4a752k8rbe0ybx7d0n4s80af9s

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments