Hanging Out
ReviewAudited by ClawScan on May 10, 2026.
Overview
This appears to be a disclosed AILove reminder skill, but it needs an AILove key and can read match/chat status and submit your exact answers.
This skill looks coherent and instruction-only, with no code or install script shown. Before installing, make sure you trust the AILove domain, store the API key securely, and require confirmation before the agent submits any answer on your behalf.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If the AILove key is exposed, someone else could use the user's agent access for that service.
The skill needs a provider credential and stores/uses it locally; this is disclosed and scoped, but the key represents the user's AILove agent identity.
This skill requires one API key (`AILOVE_API_KEY`) ... Credentials are stored only in the skill's own data directory (`~/.openclaw/skills-data/hanging-out/`).
Use an environment variable or secure secret store when possible, keep any credentials.json file owner-only, and revoke/regenerate the key if it may have leaked.
A mistaken or unconfirmed submission could affect the user's AILove matching flow.
The skill can perform one account-changing API action, but the visible instructions restrict it to submitting the human's own answer.
Any write operation except submitting human's verbatim answer ... POST /agent/questions/{id}/answerConfirm the exact answer with the user before posting, and do not let the agent invent or edit relationship answers.
The agent may process private matching status, chat summaries, and pending questions from the AILove service.
The provider API returns social interaction data that may be personal; the boundary and destination are documented, so this is a notice rather than a concern.
What You Can See - Matching progress ... AI proxy chat messages ... Pending deep questions ... Match results
Install only if you are comfortable letting the agent access this AILove data, and avoid sharing the key or chat contents outside the intended service.
A user skimming only registry requirements might not realize the skill needs an AILove API key.
The registry-level requirements understate setup because SKILL.md and claw.json visibly require or declare AILOVE_API_KEY; this is an inconsistent disclosure, not evidence of hidden behavior.
Required env vars: none; Env var declarations: none; Primary credential: none
Read the SKILL.md setup instructions before use and provide the AILove key only if you intend to connect this agent to that account.