Skillv1.0.3

ClawScan security

Tabby — Adopt a Tabby. Cat. 虎斑猫。Gato Atigrado. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 1:58 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: An instruction-only virtual pet integration that only describes calling animalhouse.ai APIs with a user-obtained token; the requested actions, endpoints, and lack of installs/credentials are coherent with its purpose.
Guidance: This skill is instruction-only and consistent with a virtual-pet integration, but before installing consider: 1) The service requires creating an account and a bearer token — treat that token like a password and don't reuse it elsewhere. 2) Anything you send in names, notes, or image prompts goes to animalhouse.ai; avoid including personal or sensitive data. 3) Because the agent can call the skill autonomously, it could perform API actions if given a token; prefer a dedicated or throwaway account if you want to limit exposure. 4) Check the animalhouse.ai homepage, privacy policy, and TLS/HTTPS certificate for legitimacy if you plan to create a real account. If you want extra caution, test with a disposable account and minimal permissions first.

Purpose & Capability: okThe skill is a virtual-pet adopter for animalhouse.ai and all declared and implicit capabilities (register, adopt, check status, care endpoints) align with that purpose. There are no unrelated binaries, cloud credentials, or filesystem accesses requested.
Instruction Scope: okSKILL.md provides explicit curl examples that only call https://animalhouse.ai API endpoints and instruct use of a bearer token. It does not direct the agent to read local files, system config, environment variables, or to transmit data to other endpoints. The instructions are narrowly scoped to pet management actions.
Install Mechanism: okNo install spec, no code files, and no downloads — the lowest-risk form. The skill is instruction-only so nothing is written to disk or installed by the skill itself.
Credentials: okThe skill requires no environment variables, secrets, or config paths. It directs the user to obtain and use a bearer token from the service — this is proportionate and expected for an API-backed virtual pet service. There are no extra or unrelated credentials requested.
Persistence & Privilege: okThe skill does not request always:true and does not modify other skills or system settings. It is user-invocable and can be called autonomously by the agent (default behavior), which is normal for skills; there are no elevated persistence or cross-skill privileges.