Back to skill
Skillv1.0.2
ClawScan security
Soft Pillow - Sleep & dream journal · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 18, 2026, 4:52 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents a Soft Pillow sleep/dream API, only requests a single Soft Pillow API key, and its instructions and endpoints align with that purpose.
- Guidance
- This skill appears to do exactly what it says: query your Soft Pillow sleep/dream data using the app's API key. Only provide a token you trust and that you obtained from the app's settings; consider creating or using a token you can revoke if needed. Verify the token is scoped appropriately in the app (if the app offers limited scopes), and revoke it via the app if you stop using the skill. The SKILL.md examples expect you to substitute the real API key into the Authorization header.
Review Dimensions
- Purpose & Capability
- okName/description match the required artifact: the skill only asks for SOFT_PILLOW_API_KEY and documents calls to softpillow.paevita.com endpoints relevant to sleep entries and dream search.
- Instruction Scope
- noteSKILL.md contains focused curl examples and endpoint docs for listing/searching sleep entries and checking sleep status. Minor documentation nit: the Authorization examples show the literal text 'Bearer SOFT_PILLOW_API_KEY' (which is clearly intended to be replaced with the real token), but the instructions do not ask the agent to read unrelated files or additional env vars.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded by an installer.
- Credentials
- okOnly a single credential (SOFT_PILLOW_API_KEY) is required and it directly corresponds to the described API access. No unrelated credentials, config paths, or broad secrets are requested.
- Persistence & Privilege
- okThe skill is not always-enabled and does not request persistent system-level privileges or modify other skills. Autonomous invocation is allowed but that is the platform default.