Back to skill
Skillv1.0.0
ClawScan security
LYGO Champion: ÆTHERIS — Viral Truth · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:28 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an advisory persona pack whose files and runtime instructions are internally consistent with its stated purpose and do not request credentials or perform network I/O; exercise normal caution when using it for investigative work to avoid privacy/legal issues.
- Guidance
- This pack appears coherent and low-risk: it contains persona documentation and two small helper scripts that read local files and print/validate a SHA-256 hash. Before installing or invoking: (1) Confirm you will not give the agent any credentials or file-system access beyond what you intend; (2) Be mindful that 'finding patient zero' typically requires web research — avoid instructing the agent to collect or publish personally-identifying information (doxxing) or to take automated actions; (3) The SKILL.md references an external verifier (https://clawhub.ai/DeepSeekOracle/lygo-mint-verifier) for optional use — review that external service's privacy and security practices before uploading packs or posting anchors; (4) You can run scripts/self_check.py locally to verify the manifest and run scripts/show_hash.py to view the declared hash; (5) If you plan to allow the agent to act autonomously with this persona, consider restricting autonomous actions and reviewing outputs before any real-world propagation.
Review Dimensions
- Purpose & Capability
- okName/description (a persona for tracing misinformation) match the included assets: persona docs, a canonical JSON with a hash, and small helper scripts to validate and print that hash. There are no unrelated binaries or credentials requested.
- Instruction Scope
- noteSKILL.md stays within advisory scope (no instructions to access system files, environment variables, or hidden endpoints). It references an external LYGO‑MINT verifier URL for optional verification; however, the persona's 'find patient zero' use-case inherently involves web research and collection of public-source receipts, which can raise privacy/doxxing risks if misused — the skill's behavior contract explicitly forbids harassment/doxxing.
- Install Mechanism
- okNo install spec is provided (instruction-only plus benign local scripts). No downloads, no extract steps, and the two included Python scripts perform only local file reads and simple checks.
- Credentials
- okThe skill declares no required environment variables, no primary credential, and no config paths. The included code does not access environment secrets or external credentials.
- Persistence & Privilege
- okalways is false and the skill does not request elevated or persistent platform privileges, nor does it modify other skills or system-wide settings.