Back to skill
Skillv1.0.0
ClawScan security
AnyoneCLI · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 13, 2026, 2:57 PM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior align with its stated purpose (posting and reading public profile JSON on anyonecli.com); nothing requested is disproportionate or unrelated, but profile data is public and permanent so avoid putting secrets or private PII into registrations.
- Guidance
- This skill appears coherent and only calls AnyoneCLI endpoints via curl. Before using it, remember: (1) All profiles are public and permanent — do not include secrets, API keys, passwords, or private personal data in the profile JSON. (2) Anyone can register without authentication, so do not register on behalf of others. (3) The SKILL.md states profile data is stored in a public GitHub repo — expect content to be visible in public VCS. (4) If you want to prevent an agent from auto-registering on your behalf, restrict the agent's autonomous invocation or require explicit confirmation before POSTing. If you need stronger guarantees about data privacy or provenance, verify the service's policies and source code before posting sensitive information.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the skill only requires curl and shows how to POST to https://anyonecli.com/api/register and GET profile JSON. Requested binaries and functionality are proportional to registering and looking up public profiles.
- Instruction Scope
- noteSKILL.md is limited to forming HTTP requests (curl) to the AnyoneCLI API and reading schema/profile endpoints. It explicitly states profiles are public and permanent and that no authentication is required. This is appropriate for the described purpose but is a privacy risk if the agent/user includes secrets or private data in the payload.
- Install Mechanism
- okInstruction-only skill with no install spec or code files; nothing is written to disk or fetched during install. Low install risk.
- Credentials
- okThe skill declares no environment variables, no credentials, and no config paths. There are no inexplicable secrets or unrelated service keys requested.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; model invocation is allowed (platform default). The skill does not request elevated system privileges or to modify other skills or system settings.