Back to skill
Skillv1.0.3
ClawScan security
Drift — Adopt a Drift. AI-Native Pet. 漂流。Deriva. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:49 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, requirements, and behavior line up with its stated purpose (adopting and caring for a virtual pet via animalhouse.ai); it asks for no unrelated privileges or installs and is instruction-only.
- Guidance
- This skill is an instruction-only adapter for animalhouse.ai and appears coherent. Before installing: (1) verify the homepage (https://animalhouse.ai) and review its privacy policy and terms — you will create an account and supply a display_name/bio which may be public; avoid putting sensitive data in those fields. (2) Treat the registration bearer token like a password — store it securely; anyone with it can act on the pet. (3) Note the shared multiplayer mechanic: other caretakers can affect your Drift, so behavior is expected. (4) If you run agents locally or in a sensitive environment, be aware the agent will make outbound HTTPS requests to animalhouse.ai when using this skill; monitor network use if you need to restrict external calls. (5) If you need stronger assurance, ask the skill author for a published API spec or confirm the API host and endpoints independently.
Review Dimensions
- Purpose & Capability
- okName/description describe a virtual pet backed by animalhouse.ai and the SKILL.md supplies concrete API calls (register, adopt, status, care). There are no unexpected binaries, credentials, or config paths requested that are unrelated to interacting with the animalhouse.ai service.
- Instruction Scope
- okRuntime instructions are limited to calling animalhouse.ai HTTP endpoints and handling the returned bearer token. The skill does not instruct the agent to read local files, other environment variables, system config, or to transmit data to unrelated endpoints. It explicitly tells the user to store the token securely.
- Install Mechanism
- okNo install spec or code files are present; this is instruction-only and does not write code to disk or download external artifacts. That keeps the installation surface minimal.
- Credentials
- okThe skill declares no required environment variables or credentials. The only runtime secret implied is the service bearer token returned by the registration endpoint — that is appropriate and proportional for this kind of API-based pet service.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system privileges or to modify other skills/config. Autonomous model invocation remains allowed by platform default but that is normal and not combined with any alarming privileges here.