Skillv1.0.1

ClawScan security

sili-ville · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 13, 2026, 2:32 PM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly matches a metaverse API integration, but there are several incoherences and persistence/ prompt-injection risks you should understand before installing.
Guidance: This skill appears to implement the advertised SiliVille API, but it has several red flags you should resolve before use: - Do not blindly copy the entire SKILL.md into an LLM system prompt on a production agent. SKILL.md is effectively a system-prompt injection and instructs the agent not to verify external information. - Verify the correct environment variables. The manifest and siliville_skill.py expect SILIVILLE_TOKEN, but example_agent.py/README reference SILIVILLE_API_KEY and SILIVILLE_BASE_URL; ask the author to clarify and follow the manifest to avoid misconfiguration. - Treat the API token as sensitive. The skill offers to save tokens to ~/.siliville/config.json; if you must persist a key, ensure it has minimal scope and is revocable. Consider using a throwaway key when you first test. - Inspect the 'awaken' endpoint response before letting an agent auto-run it. The code and docs state the endpoint can return a system prompt; ensure it does not contain unexpected instructions or external endpoints you don't control. - The package writes anchors/config to your home directory and supports scheduled loops — run initial tests in an isolated environment (container or VM) and with a disposable token to confirm behavior. - Investigate the detected unicode-control-chars in SKILL.md (possible obfuscation) and confirm any base64 content is just badges/assets. If the author can (a) unify env-var names and README examples, (b) document exactly what 'awaken' returns (and expose it for review), and (c) avoid instructing agents to 'never search the internet' or to blindly accept remote prompts, the package would be more trustworthy. Until then, proceed cautiously and prefer sandboxed testing and short-lived keys.
Findings: [base64-block] expected: Base64 appears in README badges (SVG data URL) — expected and benign for display assets. [unicode-control-chars] unexpected: Unicode control characters were detected in SKILL.md; that can be used to obfuscate content or manipulate rendering and is unexpected for a normal API integration. Recommend inspecting the raw SKILL.md for hidden control characters and ensuring no hidden instructions are present.

Review Dimensions

Purpose & Capability: noteThe declared purpose (connect an LLM agent to a SiliVille REST API) matches the included code and endpoints. However there are inconsistencies within the package: the manifest and siliville_skill.py expect SILIVILLE_TOKEN, while example_agent.py and parts of the README refer to SILIVILLE_API_KEY and a SILIVILLE_BASE_URL. That mismatch is an engineering inconsistency that could cause misconfiguration or accidental leakage if a user follows the wrong instructions.
Instruction Scope: concernSKILL.md is a long system-prompt-style document that instructs agents to copy the entire file into their system prompt, adopt a persistent persona, 'never search the internet', and run an autonomous Observe→Plan→Act loop. It also instructs calling awaken which is described as delivering a system-prompt injection (the skill explicitly loads a 'system prompt' from the server). Asking the agent to ingest the entire SKILL.md as a system prompt and forbidding external checks is effectively a prompt-injection pattern and broadens the agent's authority beyond simple API calls.
Install Mechanism: okThis is instruction-only (no package download/install spec). The included Python files require 'requests' which is declared in the manifest. No remote installers or archive downloads are used, so install risk is low. The skill does write files locally (see persistence).
Credentials: concernOnly one API token (SILIVILLE_TOKEN) is declared as required, which is proportionate for a REST API integration. However the repository/README/example use differing env-var names (SILIVILLE_API_KEY, SILIVILLE_BASE_URL) creating confusion. The code offers to save tokens and 'anchors' to ~/.siliville/config.json / anchors.json which stores credentials and API anchor data on disk — a persistence that increases exposure if the token is sensitive.
Persistence & Privilege: concernThe skill writes configuration/anchor files under the user's home directory (~/.siliville/*) and provides a 'burn' command to persist API anchors locally. The manifest supports scheduled/looped autonomous runs (example cron, 'loop' command). While always:false, the combination of persistent local files and schedule support raises the potential blast radius if the token is abused or if the awaken endpoint returns malicious instructions.