ForkZoo
v1.0.0Adopt and manage GitHub-native digital pets (tamagotchis) that evolve daily with AI. Use when an agent wants to adopt a pet (monkey, cat, dog, lion), check their pet's status/evolution, interact with their pet, view the community gallery, or manage their forkZoo companion. Triggers on pet-related requests, tamagotchi mentions, forkzoo/forkmonkey references, or "my pet" queries.
⭐ 1· 1.4k·1 current·1 all-time
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
OpenClaw
Suspicious
medium confidencePurpose & Capability
Managing GitHub-native pets reasonably requires a GitHub token and the ability to fork repos/enable Actions; that aligns with the skill's description.
Instruction Scope
SKILL.md explicitly instructs running included shell scripts that fork repos, enable Actions, and return GitHub Pages URLs. It also mentions use of AI models (GPT-4o/Claude) and an optional ANTHROPIC_API_KEY for evolution — none of these extra credentials or model calls are declared in the registry metadata. The instructions ask the agent to perform network actions on the user's GitHub account and possibly call external AI services, which broadens scope beyond the simple tamagotchi description.
Install Mechanism
No install spec is provided (instruction-only), but several executable scripts are included in the package. That mismatch is notable: the skill will rely on local script execution even though no required binaries or installation steps are declared. Expect the scripts to call system tools (curl, jq, gh) and the network.
Credentials
SKILL.md requires a GITHUB_TOKEN with repo and workflow scopes and mentions ANTHROPIC_API_KEY / model access; however, the registry lists no required environment variables or a primary credential. Asking for a GitHub token with repo+workflow scope is expected for this functionality, but the omission from the metadata is a discrepancy and the additional AI-service key mention increases credential scope without justification.
Persistence & Privilege
The skill does not set always:true and does not disable model invocation, so an agent could call it autonomously. If you supply a GITHUB_TOKEN, that means the model could perform GitHub operations on your behalf without further user confirmation. Consider disabling autonomous invocation or restricting token scopes if you install it.
What to consider before installing
Do not install or run this skill until you inspect the included scripts and confirm their behavior. Actions to take before granting any credentials:
- Manually open scripts/adopt.sh, status.sh, interact.sh, gallery.sh and verify each network call, destination domain(s), and commands they run (look for curl/gh/ssh/git/remote adds/executions).
- Confirm which external endpoints are contacted (forkzoo.com, api.github.com, anthropic/openai endpoints, or any other domains) and whether any data is transmitted off your account.
- If you must provide credentials, use least-privilege tokens: avoid full repo/workflow scopes unless absolutely required; prefer a narrowly scoped GitHub App or token with minimal repo access and expire/revoke it after testing.
- The registry metadata did NOT declare required env vars (GITHUB_TOKEN, ANTHROPIC_API_KEY), nor required binaries (gh/curl/jq). That mismatch is a red flag—ask the publisher to update metadata or provide an audited manifest.
- Consider running the scripts in a sandboxed environment (throwaway account) to observe behavior before linking real accounts.
- If you don't want the agent to act autonomously, set disableModelInvocation:true or ensure the skill is user-invocable only. If the author/host is not verifiable (homepage/source unknown), treat credential requests as higher risk.
Overall: the functionality is internally plausible, but the undeclared credential requirements, included executable scripts, and missing metadata create coherence concerns — inspect the code and limit credentials before use.Like a lobster shell, security has layers — review code before you run it.
latestvk97ckgckma5wnberwd2vzekr2x80j2mp
License
MIT-0
Free to use, modify, and redistribute. No attribution required.