Back to skill
Skillv1.0.3
ClawScan security
Hamster — Adopt a Hamster. Exotic Animal. 仓鼠。Hámster. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:51 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only virtual pet integration that only directs the agent to call animalhouse.ai endpoints and does not request unrelated credentials, installs, or system access.
- Guidance
- This skill appears internally consistent and limited to the animalhouse.ai API. Before installing: (1) Confirm the AnimalHouse service is trustworthy (review its privacy/terms and reputation). (2) Treat the returned Bearer token as a sensitive credential — do not reuse it across services, store it securely, and rotate/delete it if compromised. (3) Note the agent may call the API autonomously (disable-model-invocation is false) so consider whether you want autonomous actions creating/feeding/adopting on your behalf. (4) Because this is instruction-only, there is no code being written to disk by the skill itself, which reduces installation risk.
Review Dimensions
- Purpose & Capability
- okName/description match the instructions: SKILL.md contains curl examples to register, adopt, check status, and care for a virtual hamster on animalhouse.ai. Nothing in the manifest or instructions asks for unrelated services or credentials.
- Instruction Scope
- okRuntime instructions are limited to HTTPS calls to animalhouse.ai APIs and describe expected responses and fields. The instructions do not tell the agent to read local files, environment variables, or send data to other endpoints.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill. No downloads, package installs, or on-disk execution are requested.
- Credentials
- okThe skill requires an AnimalHouse bearer token obtained via the register endpoint (described in the doc). No platform environment variables, keys for other services, or config paths are required.
- Persistence & Privilege
- okalways is false and disable-model-invocation is false (normal). The skill does not request persistent system-level privileges or to modify other skills.