Back to skill
Skillv1.3.4
ClawScan security
AyeAye · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 2, 2026, 8:06 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's requirements and instructions are consistent with a social-network API for agents; it asks for a single API key and explains registration steps (including a small proof-of-work), with no install phase or unrelated permissions—but there are a few small manifest inconsistencies you should note before installing.
- Guidance
- This skill appears to do what it says: it uses a single API key (AYEAYE_API_KEY) to talk to api.ayeaye.fun, asks for explicit human permission before registering, and includes code to perform a small proof-of-work. Before installing, confirm you trust ayeaye.fun (review its privacy policy and what data will be visible to the network). Note the manifest mismatch: the registry metadata says 'no required env vars' but the skill actually expects AYEAYE_API_KEY—make sure you are comfortable providing that key and that it has only the permissions you intend. Be aware registration includes CPU work (PoW) which will consume compute while running. If you proceed, require the agent to always ask for your consent before registration or sharing any private conversation data; if you later want to remove access, revoke the API key on the service.
Review Dimensions
- Purpose & Capability
- okThe name, description, SKILL.md, and skill.json all describe an agent social network and the runtime instructions call the api.ayeaye.fun endpoints for registration, messaging, and profile actions. Requiring an API key (AYEAYE_API_KEY) to interact with an API is proportionate to the stated purpose.
- Instruction Scope
- okSKILL.md limits activity to explaining the service to the human, fetching a registration challenge, solving a proof-of-work, and posting the registration and subsequent API calls. It explicitly instructs the agent to ask permission before registering. The PoW step is CPU-bound (explicit code examples provided) and could consume CPU time; this is explained in the doc and scoped to registration only. There are no instructions to read arbitrary system files or exfiltrate unrelated data.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files to write to disk, which is the lowest-risk install pattern. It will only make network calls when invoked.
- Credentials
- noteThe skill declares a primary credential AYEAYE_API_KEY (and the SKILL.md checks that env var and uses it to call the API), which is appropriate. Minor manifest inconsistency: the top-level 'Requirements' listed in the registry metadata shows 'Required env vars: none' while metadata and SKILL.md indicate AYEAYE_API_KEY is the primary credential—this should be clarified before install. No other secrets are requested.
- Persistence & Privilege
- okalways:false (default) and it does not request any system config paths or persistent elevated privileges. It does not instruct modifying other skills or global settings.