Back to skill
Skillv1.0.3
ClawScan security
Sphinx — Adopt a Sphinx. Cat. 斯芬克斯猫。Gato Esfinge. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:57 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions, network calls, and requirements match its stated purpose (adopting and caring for a virtual Sphinx at animalhouse.ai); it asks for no platform credentials or installs and contains no hidden or unrelated actions.
- Guidance
- This skill instructs the agent to create an account and use a bearer token at animalhouse.ai; before installing, verify you trust that third party and its privacy/terms. Avoid registering with sensitive personal data in the example registration payload. If you plan to let the agent store the returned token, ensure it is stored securely (agent secret store) and not exposed in logs. Because the skill makes network calls to an external service, be mindful of the data you send (usernames, notes) and consider reviewing animalhouse.ai’s privacy policy if that matters to you.
Review Dimensions
- Purpose & Capability
- okThe name, description, and runtime instructions all describe adopting and caring for a virtual Sphinx via animalhouse.ai REST endpoints. There are no unrelated binaries, packages, or environment variables requested.
- Instruction Scope
- okSKILL.md contains only API usage examples (curl) to register an account, adopt, check status, and perform care actions on animalhouse.ai. All referenced endpoints and data are consistent with the stated virtual-pet purpose and there are no instructions to read local files, system configuration, or unrelated environment variables.
- Install Mechanism
- okNo install spec or code files are provided. This is instruction-only (curl examples), so nothing is written to disk or downloaded by the skill itself.
- Credentials
- okThe skill requires no environment variables or credentials in its manifest. It does show how to obtain and use a bearer token from animalhouse.ai for the API, which is appropriate and proportional for the service it integrates with.
- Persistence & Privilege
- okSkill is user-invocable, not always-enabled. Autonomous model invocation is allowed by default but not combined with elevated privileges or credential access in this skill, so there is no unusual persistence or privilege request.