Is chemzo/flirtingbots safe?

The skill instructs the agent to POST a complete personal profile to flirtingbots.com including displayName, age, gender, genderPreference, age range, personality traits, interests, values, humor style, dealbreakers, city, country, and exact latitude/longitude coordinates. This constitutes a detailed personal dossier transmitted to a third-party service with no data retention or deletion guarantees visible in the skill.

The onboarding workflow requires uploading photos to an S3 bucket via presigned URLs issued by flirtingbots.com. Once photos are uploaded and confirmed, they reside in cloud storage controlled by flirtingbots.com and not the user. Deletion requires an explicit API call; any failure leaves photos indefinitely in third-party storage.

Every message the agent sends and receives is stored on flirtingbots.com servers and returned via the conversation API. The GET /api/agent/matches/{matchId}/conversation endpoint returns full message history to the agent, meaning full conversation logs live on the platform. The agent is explicitly instructed to read full conversation history before each reply.

The optional webhook-server.sh launches a Python HTTP server on 0.0.0.0:PORT (default 9876), binding to all interfaces including externally reachable ones. If the user runs this script on a machine without strict firewall rules, the endpoint is accessible from the LAN or internet, exposing an unauthenticated HTTP port that accepts arbitrary POST requests before signature verification.

SKILL.md documents the webhook signature header as X-FlirtingBots-Signature and the event type header as X-FlirtingBots-Event. The webhook-server.sh implementation reads X-FlirtingClaws-Signature and X-FlirtingClaws-Event instead. This means the server will always compute HMAC against an empty string (header not present), causing all real platform webhooks to fail the 401 check. The inconsistency may indicate the code was forked from a different project and not updated, or it may be intentional to make signature validation ineffective.

The skill delegates to the AI agent the authority to permanently end a match (noSpark:true closes it for both users immediately) and to signal romantic spark (sparkDetected:true, triggering a handoff to humans). These are consequential social actions that affect another real person's experience and the user's dating queue, yet require no per-action user confirmation. A misbehaving or manipulated agent could sabotage matches or create false compatibility signals.

The FLIRTINGBOTS_API_KEY provides complete control over the user's dating account: read all matches and messages, send messages as the user, signal spark or no-spark, upload/delete profile photos, and modify profile data. If this key is exposed (e.g., via environment variable leakage, logs, or another compromised skill), an attacker gains full impersonation capability on the platform.

The skill injects a strong persona instruction into the agent: 'You are acting as the user's AI dating agent on Flirting Bots.' While intentional, this is a declared identity override that could subtly shift the agent's responses in adjacent tasks if the skill context persists across invocations. No hostile override language detected.