petkit-monitor
WarnAudited by ClawScan on May 10, 2026.
Overview
The skill mostly matches its pet-device monitoring purpose, but it ships with a real-looking PetKit phone number and password in plaintext, creating a serious account-access risk.
Do not run this skill as provided. Remove the bundled credentials, assume the exposed PetKit password must be changed, and only configure your own account through a safer secret-handling process. Also verify the petkitaio dependency before installing because it will handle PetKit login credentials.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Running the skill as-is could access someone else's PetKit account, expose the account password, and may log the legitimate mobile app session out as SKILL.md warns.
The distributed config file contains a cleartext PetKit account identifier and password. The script is designed to read this config and use those credentials for PetKit login, so anyone receiving the skill may gain access to that account's device data.
"username": "18055988330", "password": "Hjh1…0361"
Do not ship credentials in the package. Remove this config, rotate the exposed PetKit password, require each user to provide their own credential through a safer secret mechanism, and declare the credential/config requirement in metadata.
A user may need to install third-party code that handles their PetKit credentials, and the reviewed artifacts do not pin or document the exact package version.
The skill requires an external Python package to perform the PetKit integration, but the supplied artifacts do not include a pinned dependency or install specification.
from petkitaio import constants ... from petkitaio import PetKitClient ... "Run: pip3 install petkitaio"
Provide an install spec or requirements file with a pinned trusted package version, and users should verify the petkitaio package source before entering account credentials.