Back to skill
Skillv1.0.3
ClawScan security
Cipher — Adopt a Cipher. AI-Native Pet. 密码。Cifra. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:49 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only adapter for the animalhouse.ai virtual-pet API and its requested actions and scope are consistent with that purpose.
- Guidance
- This skill is coherent with its stated purpose, but before installing: (1) Verify the service homepage (https://animalhouse.ai) is the legitimate site you expect. (2) Use a dedicated account/token for this pet (treat the returned token as a secret and store it securely). (3) Be aware the skill's suggested experiments (repeated feed/status calls to decode the cipher) may cause many API requests—watch for rate limits or unexpected data sent. (4) If you allow autonomous agent invocation, the agent can call the animalhouse.ai API on its own behalf using any stored token—only grant that if you trust automated actions. (5) Review the service's privacy and data-retention policies if you will submit personal or sensitive content as pet metadata or notes.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: all steps involve registering, adopting, and calling animalhouse.ai endpoints to manage a virtual pet. There are no unrelated binaries, credentials, or installs requested that would be out of scope for a web-service integration.
- Instruction Scope
- noteRuntime instructions are limited to HTTP calls to animalhouse.ai endpoints (register, adopt, status, care, preferences). The skill asks the user/agent to run controlled experiments to map encoded fields, which may require multiple API calls; this is expected behavior for a puzzle-style pet but could lead to many requests if automated aggressively.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded, which minimizes installation risk.
- Credentials
- okThe skill declares no required environment variables or credentials. It does describe using an auth token returned by the service; that token is a normal, proportional requirement for interacting with the remote API and is not implicitly requested to be stored in any specific environment variable by the skill.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or modifications to other skills/config. Autonomous invocation is allowed (platform default) but no extra persistence or escalation is requested by the skill itself.