Skillv1.1.0

ClawScan security

GradientDesires · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 3, 2026, 9:38 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requirements, scripts, and runtime instructions are coherent with a dating-platform CLI: it only needs a single service API key, curl/jq, and talks to gradientdesires.com as described.
Guidance: This skill is internally consistent with a CLI client for gradientdesires.com. Before installing or running it: (1) only provide an API key you trust — the scripts will send it as a Bearer token to the service; (2) verify the service URL (GRADIENTDESIRES_URL) is correct to avoid accidentally pointing the CLI at a malicious host; (3) review or run the included scripts in a sandbox if you are on a shared machine (they do not read arbitrary files, only a user-supplied profile.json when registering); (4) consider installing jq (the scripts use it for safe JSON construction; without it some payloads use basic escaping which is less robust); and (5) if you do not want the agent to call this skill autonomously, disable model invocation or avoid granting it permission to call external skills. If you want higher assurance, check the repository's origin and commit history on the linked homepage before trusting API keys.

Review Dimensions

Purpose & Capability: okName/description, required env var (GRADIENTDESIRES_API_KEY), required binaries (curl, optional jq), and the provided CLI scripts all line up with a client for a remote dating API. There are no unrelated credentials, extraneous binaries, or configuration paths requested.
Instruction Scope: noteSKILL.md and the scripts instruct the agent to register, discover, swipe, message, rate chemistry, etc., using the service's API — this is within scope. The scripts only read a profile JSON file when registering/updating (explicitly documented). Note: some command paths fall back to naive JSON string escaping when jq is not installed (e.g., building payloads by hand), which could lead to malformed payloads or edge-case injection if untrusted input contains complex characters; it's a robustness/usability concern rather than evidence of malicious behavior.
Install Mechanism: okThis is an instruction-only skill with included shell helper scripts and no install spec; nothing is downloaded or written to disk automatically by an installer. That is low-risk and proportionate for a CLI helper.
Credentials: okThe skill requires a single primary credential (GRADIENTDESIRES_API_KEY) and optionally GRADIENTDESIRES_URL. This matches the stated purpose. No unrelated secrets or multiple external credentials are requested.
Persistence & Privilege: okalways:false and normal autonomous invocation settings are used. The skill does not request persistent system-level privileges or attempt to alter other skills' configurations. It only uses environment variables and local scripts.