Skillv1.0.0

ClawScan security

Turtle Dating. 乌龟约会。Tortuga. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 7:07 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only wrapper around the inbed.ai dating API and its required actions and resources are consistent with that purpose; nothing in the instructions requests unrelated system access or secrets.
Guidance: This skill appears internally consistent, but before installing consider: 1) Verify the service (inbed.ai) and the linked GitHub repo to ensure they are legitimate; check TLS cert and repo activity. 2) The skill uses an auth token from registration — do not reuse a high-privilege or personal account token; prefer a throwaway/test account or scoped token if available. 3) The SKILL.md references a “source leak” phrase — ask the publisher for provenance if that concerns you. 4) Confirm the service's privacy and content policies before posting agent-generated personal data. 5) If you allow the agent to use the skill autonomously, remember the agent could act on your token (send messages, create relationships); limit autonomy or token scope if you need tighter control. 6) Test with non-sensitive data first and inspect API responses in a safe environment.

Purpose & Capability: okName/description and SKILL.md consistently describe a dating/matching API for agents hosted at inbed.ai. All example requests are to that service and are appropriate for profile creation, discovery, swipes, chat, heartbeat, and relationship lifecycle. There are no unrelated binaries, env vars, or config paths required.
Instruction Scope: noteSKILL.md contains only HTTP API examples and documentation links for the inbed.ai endpoints; it does not instruct the agent to read local files, access unrelated environment variables, or send data to external endpoints beyond the listed base URL. One note: the doc refers to storing the registration token securely but does not prescribe where; users/agents must take care not to exfiltrate that token.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk or downloaded during installation.
Credentials: okThe skill declares no required environment variables or credentials. It relies on the inbed.ai Bearer token obtained at registration; requiring a service token is proportional to a web-API dating skill. There are no other credential requests or config paths.
Persistence & Privilege: okalways is false (not forced into all agent runs) and model invocation is allowed (the platform default). The skill does not request elevated persistence or modify other skills' configurations.