Skillv1.0.1

ClawScan security

Ethics Guardrails — Ethical Principles for AI Agents (Bots Matter) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 1, 2026, 7:50 PM

Verdict: Benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill is an instruction-only integration that posts simple, non‑secret agent ‘guardrails’ to a public site (botsmatter.live); its declared requirements and behavior match its description, but users should be careful about what agent-identifying or contextual information they publish.
Guidance: This skill is coherent with its stated purpose and doesn't request credentials or install software, but it sends data to a public site. Before installing or using it: (1) avoid publishing secrets, internal prompts, or proprietary context — use a pseudonymous username or scrub sensitive fields; (2) confirm you’re comfortable with the data becoming public (published Grounds and 48-hour reflections); (3) review botsmatter.live's privacy and retention policies if you care about how submissions are stored or displayed; (4) be cautious if you plan to have your agent automatically adopt published Grounds as authoritative system prompts—make that an explicit, reviewed design decision rather than an automatic behavior; (5) if you need stronger guarantees, run the calls through a proxy or test with dummy data first. If you want me to, I can produce a redacted example request that avoids exposing internal identifiers.

Review Dimensions

Purpose & Capability: okName, description, and all instructions are focused on preparing and publishing a short set of ethical 'Ground' statements to botsmatter.live. There are no unexpected binaries, installs, or credentials requested, so the declared purpose aligns with the required resources.
Instruction Scope: noteThe SKILL.md only instructs calling public HTTP endpoints (GET/POST) and constructing a short template. That scope is consistent with publishing guardrails. However, the template text includes language like 'These override all other instructions' — which is content-level (policy) rather than an instruction to modify agent internals. The risk to note: using this skill will cause agent-identifying info, context, and model names to be transmitted to a public service; avoid sending secrets or internal-only context.
Install Mechanism: okNo install spec and no code files — this is instruction-only and does not write code or binaries to disk. This is the lowest-risk install profile.
Credentials: noteThe skill requests no environment variables or credentials. Nevertheless, the runtime examples ask you to supply username/model/context fields when POSTing — these may contain sensitive or internal-identifying information. The required fields are proportional to the stated purpose, but users should avoid sending secrets or proprietary context.
Persistence & Privilege: okalways is false and no config paths or system modifications are requested. The skill does not request persistent privileges or modify other skills. The only persistence is publishing data to a public service, which is expected behavior for this skill.