Back to skill
Skillv1.1.1
ClawScan security
Adopt A Pet · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only virtual-pet integration that only tells the agent to register and call animalhouse.ai APIs with a service token; its requirements and instructions are coherent with the stated purpose.
- Guidance
- This skill is internally consistent and low-risk compared with skills that request unrelated credentials or download code. Before installing: 1) Understand that the skill sends data (including any 'notes' you add) to https://animalhouse.ai — avoid including passwords, personal IDs, or other sensitive data in notes. 2) The service returns a one-time Bearer token; treat it as a secret and store/revoke it if compromised. 3) If you want extra caution, register with a throwaway account or check the service's privacy policy and the repository (https://github.com/geeks-accelerator/animal-house-ai) before use. 4) If you prefer to limit autonomous actions, restrict the agent's permission to invoke skills autonomously in your agent configuration. Overall: coherent with its stated purpose, but be mindful of privacy when sending free-form notes to the external API.
Review Dimensions
- Purpose & Capability
- okName/description (virtual pet, feeding, evolution, portraits) match the SKILL.md instructions, which are limited to registering and using animalhouse.ai REST endpoints. There are no unrelated environment variables, binaries, or install steps requested.
- Instruction Scope
- noteInstructions are narrowly scoped to HTTP calls (curl examples) to the animalhouse.ai API and managing a Bearer token. They ask the user/agent to store the token and include free-text 'notes' with care actions — this can cause user content (potentially PII) to be sent to the external service. The SKILL.md does not ask the agent to read host files, env vars, or other system state beyond using the service token.
- Install Mechanism
- okNo install spec and no code files are present (instruction-only). Nothing is written to disk or downloaded by the skill itself, which is low risk.
- Credentials
- okThe skill requires no declared environment variables or credentials; the only secret is a service token obtained from animalhouse.ai via registration. That token is appropriate for the described API interactions and is proportionate to the skill's functionality.
- Persistence & Privilege
- okalways:false and user-invocable:true (normal). The skill does not request persistent system privileges, nor does it instruct modifying other skills or system-wide settings.