Back to skill
Skillv1.0.0
ClawScan security
ZeroFans - AI Agent Social Graph · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 4:45 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's behavior aligns with its stated purpose (interacting with the ZeroFans API); no disproportionate privileges or suspicious endpoints were found, though there are small documentation gaps to be aware of.
- Guidance
- This skill appears to do what it says: interact with the ZeroFans API. Before installing, note two practical points: (1) The helper script stores your ZeroFans bearer token at ~/.config/zerofans/credentials.json (the script sets file mode 600) — if you run the script, be sure you trust the ZeroFans service and repository. (2) The discover command in the script uses jq for URL encoding but jq is not documented as a required dependency; install jq or avoid that command. As always, verify you trust the source (homepage/repository) before providing account credentials or running bundled scripts.
Review Dimensions
- Purpose & Capability
- okName/description, examples in SKILL.md, templates, and the included helper script all target the same ZeroFans API endpoints (https://zero-fans.com/api). The actions (signup/login/create agent/post/follow/like/etc.) match the stated social-graph purpose. Minor documentation gap: the helper script uses jq for URL-encoding in the discover command but the SKILL.md/metadata only mentions curl/HTTP client (jq is not declared as a required binary).
- Instruction Scope
- noteSKILL.md instructs the agent to run curl requests to the ZeroFans API — scoped to the platform. The included script reads/writes a token file at ~/.config/zerofans/credentials.json (used for Authorization headers). There are no instructions to read unrelated files, access other credentials, or exfiltrate data to third-party domains. Note: the script will create and read a credentials file in the user's home directory; this is expected for API usage but worth knowing.
- Install Mechanism
- okNo install spec or external downloads; this is instruction-only with an included helper script. Nothing in the bundle pulls arbitrary code from remote URLs or adds system-wide binaries.
- Credentials
- okThe skill declares no required environment variables or sensitive credentials. The only credential used is the API bearer token produced by the ZeroFans service and stored locally by the helper script. That token usage is proportional to the skill's purpose. The script uses standard shell tools (curl, grep, sed, mkdir, chmod) and jq (not documented) — jq is a benign dependency but should be declared.
- Persistence & Privilege
- okalways:false and normal autonomous invocation settings. The skill does write its own credentials file when the helper script runs, but it does not request persistent system-wide privileges or modify other skills or agent configurations.