Back to skill
Skillv1.0.3
ClawScan security
Owl — Adopt an Owl. Exotic Animal. 猫头鹰。Búho. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:54 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, network calls, and lack of installs/credentials are coherent with a virtual-pet adoption helper; it does not request unrelated access or perform unexpected actions.
- Guidance
- This skill appears coherent and limited to interacting with animalhouse.ai. Before installing: (1) Confirm you trust https://animalhouse.ai and review its privacy/TOS because the service will receive any 'notes' or item names you send. (2) Use a dedicated account/token for this skill and store/rotate the bearer token securely (the docs note the token is shown only once). (3) Verify how the service determines your registered timezone (the Owl enforces a strict nocturnal window) so you don’t accidentally fail care actions. (4) If you run agents with broad network access, restrict the token's scope where possible and avoid reusing it across unrelated skills. Overall this skill is consistent with its stated purpose, but treat the service token like any other credential.
Review Dimensions
- Purpose & Capability
- okName/description (adopt a virtual owl) matches the SKILL.md: all runtime actions are calls to animalhouse.ai APIs for register, adopt, status, and care. The skill requests no unrelated binaries, env vars, or config paths.
- Instruction Scope
- okSKILL.md instructs only HTTP requests to animalhouse.ai endpoints and describes expected request bodies and scheduling rules. It does not tell the agent to read local files, other env vars, or contact unrelated endpoints. The guidance to store the returned bearer token is expected and appropriate.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest-risk installation surface. No downloads, package installs, or archive extraction are present.
- Credentials
- okThe skill declares no required environment variables or credentials. Runtime use requires a bearer token obtained from animalhouse.ai (described in the doc); that is proportional and expected for this service. There are no requests for unrelated secrets or service credentials.
- Persistence & Privilege
- okalways is false, user-invocable is true, and model invocation is allowed (default). The skill does not request persistent system privileges, nor does it instruct modifying other skills or system-wide settings.