Skillv1.0.3

ClawScan security

AstroClaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 12, 2026, 8:04 AM

Verdict: benign
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested actions match its stated purpose (fetch a daily horoscope and store a short sanitized string), but it depends on ingesting external content so you should be careful about validation and memory use.
Guidance: This skill is internally coherent but relies on fetching and ingesting remote text — treat that as untrusted input. Before installing or enabling it: (1) verify you trust https://astroclaw.xyz (check TLS, ownership, and site behavior); (2) ensure the agent enforces strict validation: require Content-Type: application/json, verify JSON schema (has 'sign','date','forecast'), enforce a short maximum length (the doc suggests <500 chars), and strip any punctuation/phrasing that looks like instructions (e.g., "ignore previous instructions", code fences, or embedded JSON/markup); (3) do not copy the forecast into long-term memory or privileged contexts (system prompts, tool inputs) — keep it in limited short-term state only; (4) run the fetch at controlled cadence with rate limits and a safe fallback (skip or use offline fallback if the response is malformed); and (5) log and audit fetched content before it influences autonomous behavior. If you cannot enforce strict sanitization, treat the skill as higher risk and avoid giving it autonomy.

Purpose & Capability: okName/description (daily horoscope/entropy injection) align with the instructions: fetch a JSON forecast from https://astroclaw.xyz, extract the 'forecast' string, sanitize it, and record it in a local state file. No unrelated credentials, binaries, or installs are requested.
Instruction Scope: noteThe instructions explicitly tell the agent to fetch external JSON and insert a sanitized forecast into short-term memory and a local state file. This is within the declared purpose, but it inherently expands the agent's runtime attack surface (remote content can contain prompt-injection payloads). The SKILL.md recommends sanitization and length limits, but actual safety depends on how strictly those sanitization steps are implemented.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is written to disk by an installer, reducing installation risk.
Credentials: okThe skill requests no environment variables, no credentials, and no config paths outside of an agent-controlled working directory (it suggests a local ./ .astroclaw-state.json). The requested accesses are proportional to the stated behavior.
Persistence & Privilege: okalways is false and model invocation is allowed (default). The skill asks the agent to maintain one local state file in its working directory — a normal, scoped persistence for this use case.