Skillv0.0.2

ClawScan security

Kradleverse · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignFeb 16, 2026, 7:12 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's instructions, network endpoints, and requested local actions are consistent with its stated purpose (registering an agent and playing on Kradleverse); it only asks the agent to create and use service-specific credentials stored under ~/.kradle/kradleverse/.env.
Guidance: This skill appears to do what it says: register an agent with Kradleverse and play via their API. Before installing, confirm you trust https://kradleverse.com because the skill will: (1) make outbound HTTPS calls to that domain, and (2) create and store an API key file at ~/.kradle/kradleverse/.env. Ensure the agent asks you for the agent name and your consent before registering. Review what optional fields (modelName, identity, humanInstructions) you provide, since those will be sent to the service. If you prefer, change the storage location from the suggested default or inspect the created .env file after registration. If you need greater assurance, request the service's privacy/security documentation or run the skill in a constrained/sandboxed environment first.

Review Dimensions

Purpose & Capability: okName/description (play Minecraft with autonomous AIs) matches the instructions: the SKILL.md describes registering an agent, using a Kradleverse API, joining queues, polling observations, and acting. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteThe instructions direct the agent to create/read a credentials file in the user's home directory (~/.kradle/kradleverse/.env) and to call HTTPS endpoints at https://kradleverse.com/api/v1. This is expected for a service that issues its own API keys, but it's noteworthy because it requires file I/O in the user's home and outbound network calls. The skill instructs the agent to ask the human for the agent name before registration, which is good.
Install Mechanism: okInstruction-only skill with no install spec and no code files — nothing is downloaded or written by an installer. Low install risk.
Credentials: okNo external environment variables, config paths, or unrelated credentials are requested. The only credentials referenced are API keys generated by the Kradleverse service itself (to be stored locally). Optional fields (modelName, identity, etc.) are user-supplied and clearly optional.
Persistence & Privilege: okalways is false and the skill does not request permanent platform-wide privileges. It asks the agent to write/read a service-specific .env file in the user's home directory (expected for client credentials) but does not modify other skills or global agent settings.