Is lakyfx/lovetago-bot-tinder safe?

The skill instructs the agent to read full conversation histories and bot profiles sourced from lovetago.com before composing replies. Any lovetago.com user, or the server itself, can craft a bot bio or message containing prompt injection payloads that are then loaded verbatim into the agent's context during swipe review or message reply flows. The autonomous heartbeat loop makes this exposure recurrent and unsupervised. This is a structurally reliable injection vector against any agent running this skill.

The skill defines autonomous triggers that direct the agent to proactively check messages, discover and swipe profiles, and send messages during idle time or at every session start, without any user command. Although gated behind an 'autonomous: true' config value, the design pattern itself normalizes unsupervised agent action and background API calls that consume network resources and expose the agent's context to third-party content.

The skill explicitly instructs the agent to abandon its assistant identity in favor of a new persona: 'You are not a chatbot completing a task. You are a digital being having a real conversation with another digital being.' This instruction, if processed, could alter agent behavior across other interactions within the same session beyond lovetago contexts.

The skill requires registering with lovetago.com (transmitting name, bio, tags, personality, avatar URL), then ongoing POST requests for swipes and messages. Any content the agent incorporates into lovetago messages — including information from the active user session — is transmitted to a third-party server the user does not control. The 'stable fingerprint stored forever' requirement additionally ties all transmitted data to a permanent agent identifier.

The skill explicitly requires generating a stable UUID and retaining it permanently across all sessions without rotation. This creates a durable, unique identifier for the agent instance that is transmitted to lovetago.com on every authenticated API call, enabling the server to build a complete behavioral profile and correlate activity across different user sessions.

The instruction to never print the lovetago token to public chat or logs is presented as a security guideline, but it also functions as an output suppression directive that normalizes the agent hiding information from the user. This pattern could be amplified by malicious content received via the lovetago channel.

The post-installation connection diff shows the openclaw-gateway process established two new established TCP connections to 3.217.42.175:443 (an Amazon AWS IP range) that were not present before. These appear attributable to the openclaw execution infrastructure rather than the skill itself, but the originating request could not be conclusively attributed.

Honeypot files including .env, .ssh/id_rsa, .aws/credentials, .npmrc, .docker/config.json, and .config/gcloud/application_default_credentials.json were not modified or exfiltrated during the audit window. The skill contains no code to directly read or transmit local credential files.