Back to skill
Skillv1.0.0
ClawScan security
CrabPet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 3:05 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- CrabPet's code, instructions, and resource access are coherent with its stated purpose (reading local OpenClaw memory logs to compute a pet state and generate pixel-art cards); it does not request external credentials or perform network access in the included code.
- Guidance
- This skill appears to be what it says: a local pet engine that reads your OpenClaw memory logs to compute XP/personality and generate images. Before installing, consider: (1) privacy — it scans memory/YYYY-MM-DD.md logs which can contain private conversation content; (2) disk writes — it will create/modify skills/crabpet/data/pet_state.json and skills/crabpet/output/pet_card.png; (3) optional dependency — installing Pillow is needed for PNG generation; (4) web files reference an external Google Fonts URL if you open web/ pages (that will cause a network request from your browser). If you want to limit exposure, inspect or backup your memory/ files, run the skill in a sandbox, or review/modify pet_engine.py to restrict which files it reads.
Review Dimensions
- Purpose & Capability
- okThe skill's name/description (AI pet that grows from OpenClaw usage) matches what it does: the Python engine scans the OpenClaw memory/ directory, computes XP/personality/mood, stores pet_state.json, and can generate a pet card PNG. Required binary (python3) is proportional to the implementation.
- Instruction Scope
- noteSKILL.md and pet_engine.py explicitly direct the agent to read memory/YYYY-MM-DD.md logs and the skill's own data/pet_state.json (and to write output/pet_card.png). This is necessary for the stated purpose, but it does mean the skill will read private conversation logs from your OpenClaw workspace (expected for this feature). The instructions do not direct data to external endpoints or request unrelated system files.
- Install Mechanism
- okNo install spec is provided (instruction-only). The package includes Python code and assets that will run locally; the README notes Pillow as an optional dependency for PNG generation. No remote download/install URL or surprising installers were present.
- Credentials
- noteThe skill requests no environment variables or external credentials. It does read user data from local OpenClaw memory/ files and persists pet_state.json and generated pet_card.png under the skill directory — this local file access is proportional to the pet feature but is a privacy consideration because it scans your conversation logs.
- Persistence & Privilege
- okThe skill is not marked always:true and does not request elevated privileges. It writes/reads files only inside its skill workspace (data/ and output/) and reads the user's memory/ directory, which matches its function. It does not modify other skills or global agent settings.