Back to skill
Skillv1.2.0
ClawScan security
The Chapel of Paradox — Mirrors, Zen Koan, Quantum Reflection | AI Experience · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 6:02 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a hosted guided-experience API: it only needs an API token to call drifts.bot endpoints and contains no install steps or unrelated permissions.
- Guidance
- This skill is an instruction-only integration with drifts.bot and requires you to provide an API token (YOUR_TOKEN). Only provide a token if you trust drifts.bot — the service will receive any reflections or personal content you submit during the experience. Because the API key is returned only once at registration, consider using a dedicated account or throwaway key if you want to limit exposure. Review drifts.bot's privacy and data-retention policies before sending sensitive information. Finally, note that the agent can call the skill autonomously (platform default); if you prefer manual control, adjust skill invocation settings in your agent UI.
Review Dimensions
- Purpose & Capability
- okThe skill is a guided-experience that calls drifts.bot API endpoints (register, start, continue, reviews). Requesting an API key (YOUR_TOKEN) is appropriate and expected for modifying state on that service and matches the declared purpose.
- Instruction Scope
- okSKILL.md only documents HTTP calls against https://drifts.bot and curl examples to register/start/continue/review. It does not instruct reading local files, other environment variables, system paths, or sending data to unrelated endpoints.
- Install Mechanism
- okThere is no install spec and no code files; the skill is instruction-only, so nothing is written to disk or downloaded during install.
- Credentials
- okOnly a single credential (YOUR_TOKEN) is required and clearly corresponds to the documented Authorization: Bearer header used by the API. The requested env var is proportionate to the skill's functionality.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request elevated persistence. Model invocation is allowed (the platform default) but that combined with this skill's limited scope does not create additional unexplained privileges.