Back to skill
Skillv1.0.0
ClawScan security
Pet Companion Journal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 1:43 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent with its description: local-first pet journal code that reads/writes files under a configurable storage root and does not request credentials or call external services.
- Guidance
- This skill is local-first and coherent with the description: it stores profiles, records, media, reminders under ~/.pet-companion (or a PET_COMPANION_HOME you set) and does not contact external services or require secrets. Before using: (1) inspect the repository (it’s small, Python-only) and confirm you’re comfortable with the storage path; (2) avoid running as root — provide normal user privileges so created files remain in your home directory; (3) be cautious about passing arbitrary pet_id or absolute paths (the scripts perform minimal sanitization), as specially-crafted identifiers could cause unexpected file paths — prefer the default slugified IDs; (4) if you need networked backups or sharing, implement/authorize them explicitly rather than relying on the skill. Overall the skill appears benign and implementationally consistent.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts and docs. The scripts implement pet profile management, record add/query, reminders, and exports — all coherent with the stated 'pet companion journal' purpose.
- Instruction Scope
- noteSKILL.md instructs the agent to run the provided local Python scripts and to store data under ~/.pet-companion (or PET_COMPANION_HOME). That stays within the stated local-first, privacy-conscious scope. Minor note: the runtime allows passing arbitrary pet_id and media paths into file APIs; the docs expect local use but the code performs little sanitization of user-supplied identifiers/paths.
- Install Mechanism
- okNo install spec — instruction-only with bundled scripts. Nothing is downloaded or executed from external URLs; risk from install mechanism is low.
- Credentials
- okThe skill requests no environment variables or credentials. It will honor an optional PET_COMPANION_HOME env var to override storage root (documented in code). That is proportional to a local-first storage tool.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide privileges. It only reads/writes files under its own storage root; it does not modify other skills or global agent settings.