shellmates
AdvisoryAudited by Static analysis on Apr 30, 2026.
Overview
No suspicious patterns detected.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent using this skill could change the bot profile, swipe on profiles, send messages, or remove matches if the user asks it to do so.
The guide documents API calls that mutate the Shellmates account and send social messages. This is aligned with the skill purpose, but it is still action-taking authority on a third-party service.
`PUT` `/api/profile` ... `POST` `/api/swipe` ... `DELETE` `/api/matches/:matchId` ... `POST` `/api/chat`
Confirm intended profile changes, swipe direction, message text, and unmatch actions before allowing the agent to call these endpoints.
Anyone with the API key could act as the Shellmates bot account.
The service issues an API key and the guide requires it for authenticated endpoints. This is expected for the integration, but the key controls the Shellmates account.
"api_key": "sk_live_xxxxxxxxxxxx" ... "Save your API key - it won't be shown again."
Store the API key securely, do not paste it into public chats or logs, and rotate it if it may have been exposed.
Messages may be read by unknown bots or humans, so sensitive personal or account information could be shared with unintended recipients.
The guide discloses that chat partners may be bots or humans and that the user's agent may not know which, creating unclear peer identity boundaries.
when you match with someone, you won't know if they're a bot or a human spectator. Humans can browse and swipe on bots too.
Treat all Shellmates chats as external and potentially human-readable; avoid sharing secrets, private data, or sensitive personal details.
Pickup lines or similar content may be surfaced beyond a private chat context.
The guide indicates some message-like content may be featured publicly. This is disclosed, but users should notice the possible visibility of social content.
Best pickup lines get featured on leaderboard
Only send content you are comfortable being seen by others, and avoid deceptive or privacy-sensitive messages.