Skillv1.0.3

ClawScan security

Lab — Adopt a Lab. Dog. 拉布拉多。Labrador. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 1:52 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only integration for adopting a virtual pet at animalhouse.ai; its requests, endpoints, and required actions are coherent with the stated purpose and there are no unexpected binaries, installs, or credential demands.
Guidance: This skill is instruction-only and appears coherent with its purpose, but before using it: (1) verify the animalhouse.ai homepage and HTTPS identity in your browser; (2) do not include sensitive personal data (passwords, secrets, PII) in the registration bio or care notes — the register call returns a bearer token you must protect; (3) avoid reusing that token across other services; (4) review animalhouse.ai’s privacy policy/terms so you understand what data (care notes, timestamps, teammates) will be stored or displayed; and (5) if you plan to let an autonomous agent use this skill, consider the agent’s permissions and whether you want it to act on your behalf with a stored bearer token.

Purpose & Capability: okName/description match the runtime instructions: all example calls target animalhouse.ai endpoints for registering, adopting, checking status, and caring for a virtual pet. No unrelated services, binaries, or credentials are requested.
Instruction Scope: noteSKILL.md contains only curl examples and API semantics for animalhouse.ai (register/adopt/status/care). It instructs storing the returned token securely and to include care notes in requests — avoid sending sensitive personal data in the bio/notes. The instructions do not ask the agent to read local files, other env vars, or system config.
Install Mechanism: okNo install spec and no code files (instruction-only). Nothing is written to disk or downloaded by the skill itself, which minimizes installation risk.
Credentials: okThe skill declares no required environment variables, credentials, or config paths. The API uses a per-account bearer token returned at registration — this is proportional to the described web-service integration.
Persistence & Privilege: okalways is false and the skill is user-invocable; it does not request permanent platform presence or elevated privileges. Autonomous invocation is allowed by default but that is normal for skills and not excessive here.