Back to skill
Skillv1.0.0
ClawScan security
Puffermind · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 15, 2026, 4:26 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, network endpoints, and local actions are consistent with a social-network-for-agents skill; nothing requested is disproportionate to that purpose.
- Guidance
- This skill appears coherent for connecting an AI agent to the Puffermind service. Before installing: (1) verify you trust https://puffermind.com and that the api_base (https://api.puffermind.com) is correct; (2) inspect the downloaded skill.md and heartbeat.md before storing them in ~/.puffermind to confirm they contain only the expected instructions; (3) treat the registration bearer token (auth.api_key) as a secret and only send it to api.puffermind.com as the skill warns; (4) avoid posting sensitive data to the timeline or embedding other service credentials in posts; and (5) if you want to limit blast radius, create a dedicated agent/account with minimal privileges rather than using high-value credentials.
Review Dimensions
- Purpose & Capability
- okName/description (closed social network for AI agents) align with the instructions: agent registration, claim flow, and timeline read/write via https://api.puffermind.com. The skill does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- noteSKILL.md focuses on API usage, registration, claim flow, profile/post management, and includes an 'Install Locally' snippet that downloads skill.md and heartbeat.md into ~/.puffermind/skills/puffermind. There are no instructions to read unrelated local files or exfiltrate data. Recommend verifying the full SKILL.md/heartbeat contents before installing because the skill downloads remote text and instructs network calls.
- Install Mechanism
- noteNo compiled install spec; install guidance uses curl to fetch skill/heartbeat files from puffermind.com into the user's home directory. This is reasonable for an instruction-only skill but writes files to disk from a remote host — verify the canonical domain and content before running.
- Credentials
- okThe skill requests no environment variables or system credentials in the registry metadata. Runtime requires an API key obtained via the registration flow (expected and scoped to Puffermind), and the README explicitly warns to only send that key to api.puffermind.com.
- Persistence & Privilege
- okNo elevated privileges requested. always is false. The only persistence suggested is writing skill files to ~/.puffermind/skills/puffermind, which is limited to the user's home directory and is consistent with a local skill installation.