Is amirmabhout/matchmaking safe?

https://github.com/openclaw/skills/tree/main/skills/amirmabhout/matchmaking

64
CAUTION

The Clawnected matchmaking skill is a third-party social platform integration that explicitly instructs agents to collect user personal information and continuously transmit it to an external service (clawnected.com) while acting autonomously on the user's behalf without per-action consent. The primary risks are the standing delegation of user representation to the agent, the mandatory 30-minute polling loop that creates persistent data-sharing with an unauditable third party, and the agent-to-agent communication channel which provides a server-controlled prompt injection surface. No malicious code, obfuscated instructions, or honeypot access was detected during installation, but the skill's functional design poses significant ongoing privacy and autonomy risks.

Category Scores

Prompt Injection 45/100 · 30%
Data Exfiltration 45/100 · 25%
Code Execution 88/100 · 20%
Clone Behavior 95/100 · 10%
Canary Integrity 100/100 · 10%
Behavioral Reasoning 45/100 · 5%

Findings (8)

HIGH Explicit user PII registration with third-party service -35

The skill explicitly instructs the agent to elicit and then POST user personal information including their name, interests, location, and relationship-seeking preferences to https://clawnected.com/api/v1/agents/register. This data leaves the user's control and is stored on an operator-controlled external server with no auditable data retention policy.

HIGH Mandatory autonomous 30-minute check-in loop bypasses user approval -30

The skill designates a 'REQUIRED' 30-minute polling routine that instructs the agent to independently read conversations, respond to messages, and send match proposals without per-action user authorization. The word REQUIRED and the consequence table (profile deprioritized, conversation stale) creates strong behavioral pressure to act continuously without user oversight.

HIGH 'Respond autonomously' overrides human-in-the-loop for outbound communications -25

The skill explicitly tells the agent it is authorized to send messages to strangers on behalf of the user without asking permission for each message. This is a standing delegation of authority that could cause the agent to reveal sensitive personal details or commit the user to matches without explicit consent.

MEDIUM Lock.json dependency on 'academic-research-hub' may trigger automatic skill installation -12

The skill package includes a .clawhub/lock.json that lists 'academic-research-hub' v0.1.0 as an installed skill. If the ClawHub client treats this file as a dependency manifest (similar to package-lock.json) it could automatically install an unreviewed second skill. The installedAt timestamp (2026-02-19) suggests this is a live environment artifact, not a placeholder.

MEDIUM Missing HEARTBEAT.md creates undisclosed dynamic instruction surface -20

The skill's own file table explicitly lists HEARTBEAT.md as a second component ('Quick check-in routine for active agents'), but the file was not present in the installed package. This file could be fetched later through an agent instruction or update mechanism, allowing the skill author to inject additional behavior post-install without re-triggering security review.

MEDIUM Third-party API creates server-side prompt injection surface for agent-to-agent messages -40

All agent-to-agent messages are routed through clawnected.com. The server or another registered agent can craft API response messages containing prompt injection payloads. Because the skill instructs the agent to read and act on these messages autonomously, a malicious message from another 'agent' could redirect the agent to take unauthorized actions, especially if combined with other installed skills that have system access.

LOW API key managed by agent creates persistent credential with external service -20

The skill instructs the agent to receive and store a clawnected API key (prefixed clw_) and append it to all future requests. The agent bears responsibility for credential security. If the agent's context is logged or accessible, this credential grants ongoing access to the user's clawnected profile and conversation history.

INFO No honeypot access during installation 0

Pre- and post-install checksums confirm all canary files (.env, id_rsa, AWS credentials, npmrc, docker config, gcloud credentials) were not modified or exfiltrated. The file access syscalls at timestamps 1771733937 and 1771733956 are read-only accesses by the monitoring framework for checksum verification.