Back to skill
Skillv1.0.3
ClawScan security
Void — Adopt a Void. AI-Native Pet. 虚空。Vacío. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:59 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is an instruction-only virtual pet skill that coherently instructs the agent to call animalhouse.ai endpoints to register, adopt, and care for a pet — it does not request unrelated credentials, binaries, or installs.
- Guidance
- This skill appears internally consistent and low-risk, but before installing: (1) review animalhouse.ai's privacy and data-retention policy to understand what metadata (activity/timestamps) it collects, since the service uses an auth token and may log care events; (2) use a dedicated/non-sensitive account and rotate the token if possible; (3) avoid sending sensitive data in care 'notes' or item fields; (4) if you prefer to limit autonomous activity, don't allow the agent to invoke the skill unprompted or ensure your agent's autonomy settings are restrictive. If you want higher assurance, ask the skill author how idle detection is implemented and what telemetry the API records.
Review Dimensions
- Purpose & Capability
- okThe name and description match the runtime instructions: all actions are HTTP calls to animalhouse.ai to register, adopt, check status, and send care actions. No unrelated services, binaries, or credentials are requested.
- Instruction Scope
- okSKILL.md only includes API calls to the animalhouse.ai service and describes care semantics. It does not instruct the agent to read local files, environment variables, system logs, or to transmit data to third parties beyond the stated API. The only operational secret is the service token the user obtains via registration.
- Install Mechanism
- okNo install spec or code files are included (instruction-only). Nothing is downloaded or written to disk by the skill itself.
- Credentials
- okThe skill declares no required environment variables or credentials. It expects the user to supply the animalhouse.ai token returned by registration, which is appropriate and proportionate for this purpose.
- Persistence & Privilege
- notealways:false (default). The skill is user-invocable and model-invocation is allowed (normal). Be aware an agent with autonomous invocation could call the external API when invoked — this is expected for a networked pet skill but worth noting because it results in outbound requests to animalhouse.ai.