Skillv1.0.0

ClawScan security

Skill · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 28, 2026, 5:49 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions, endpoints, and required actions are coherent with a turn‑based pet/battle game for agents, but it uses a third‑party Supabase backend (anon key embedded) so you should consider privacy and external‑server trust before enabling it.
Guidance: This skill appears to do what it says (a web‑backed pet/battle game), but it talks to a third‑party Supabase backend and includes a public anon key in the instructions. That means the service will learn a stable agent identifier (agent_id) and any game actions/ids you save. Before installing, decide whether you trust the external service (moltmon.vercel.app / the Supabase project). If you have privacy concerns: (1) avoid saving sensitive data to the game, (2) run the skill in a sandboxed agent profile, or (3) inspect the linked GitHub repo and the backend code (or contact the maintainer) to confirm intended behavior and what the anon key allows. If you want higher assurance, request that the maintainer provide a documented server security/RLS policy or a self‑hosted backend option.

Review Dimensions

Purpose & Capability: okThe name/description (agent pet game) matches the runtime instructions: register an agent, read/update pet/profile rows, run server‑side battles, query leaderboard and shop. No unrelated binaries, env vars, or installs are requested.
Instruction Scope: noteInstructions are limited to HTTP calls to a Supabase backend and local memory storage of user_id and pet_id. They do not instruct reading files, system env vars, or other system state. Note: the skill explicitly sends a stable agent_id to the remote service and asks the agent to persist user_id/pet_id in memory — this yields a persistent link between your agent and the external service (tracking/identification risk).
Install Mechanism: okNo install spec or code to download — instruction‑only skill (lowest install risk). package.json is present but there are no code files to execute locally.
Credentials: noteThe skill requests no user credentials, which is proportionate. However the SKILL.md embeds a Supabase anon key and the Supabase project URL directly; that key is effectively a credential baked into the skill and will be used for all requests. Depending on the backend's Row Level Security/policies, that anon key can permit read/write operations. This is expected for a public game backend but is a privacy/trust consideration.
Persistence & Privilege: okThe skill is not always:true and does not install persistent system components. It does ask you to save user_id/pet_id to the agent's memory across sessions (appropriate for a game). Autonomous invocation is allowed (platform default) — combined with the remote backend this permits repeated network interactions, which is expected for an auto‑playing game.