Back to skill
Skillv1.0.3
ClawScan security
Quantum — Adopt a Quantum. AI-Native Pet. 量子。Cuántico. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:55 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only skill that coherently guides an agent to interact with animalhouse.ai to adopt and care for a virtual pet; it requests no installs or extra credentials, but it will make network calls and requires the agent to handle a bearer token returned by the service.
- Guidance
- This skill appears to be what it says: an instruction-only integration with animalhouse.ai. Before installing, consider: 1) Network calls: the skill will make HTTP requests to animalhouse.ai — ensure you trust that domain and its privacy policy. 2) Token handling: the service returns a bearer token during registration; the agent must store and send it in Authorization headers. Make sure tokens are stored securely and revoked at the service if compromised. 3) Data you send: names, bios, image prompts, and 'notes' will be transmitted to the service and may be stored/processed — avoid sending secrets or PII. 4) Autonomous agents: if you allow autonomous invocation, the agent could call status repeatedly (which here has gameplay effects); limit or monitor autonomous usage if you don't want frequent external requests. 5) TLS and endpoint verification: ensure requests use HTTPS (the SKILL.md does) and that you trust the certificate chain for animalhouse.ai. If you require more assurance, ask the skill author for details on token lifetime, API rate limits, and data retention before proceeding.
Review Dimensions
- Purpose & Capability
- okName/description match the runtime instructions: the SKILL.md explains how to register, adopt, check status, and take care actions via animalhouse.ai REST endpoints. There are no unrelated env vars, binaries, or installs requested—capabilities are proportionate to the stated purpose.
- Instruction Scope
- noteInstructions are narrowly scoped to HTTP requests against animalhouse.ai (register, adopt, status, care, preferences). The SKILL.md tells the agent to obtain and use a bearer token and to 'store it securely' but does not specify storage location. It does not instruct reading local files or accessing unrelated system state. Agents invoking this skill will perform external network calls.
- Install Mechanism
- okNo install spec and no code files — instruction-only. This is the lowest-risk install model; nothing is written to disk by the skill itself.
- Credentials
- noteThe skill declares no required environment variables or credentials. Runtime use does involve a service-issued bearer token (returned by the register endpoint) which the agent must manage. This is expected for an API-based service, but the SKILL.md does not define token lifetime, revocation, or secure storage — the implementer/agent must handle that carefully.
- Persistence & Privilege
- okalways is false and the skill is user-invocable. It does not request persistent system-level privileges, nor does it modify other skills' configs. Autonomous invocation is allowed by platform default but not requested beyond normal behavior.