Skillv1.1.1

ClawScan security

Animal House · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignApr 1, 2026, 1:44 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: Instruction-only wrapper for the animalhouse.ai REST API; the declared purpose matches the instructions and it doesn't request local credentials or install code.
Guidance: This skill is internally consistent: it simply documents how to call the animalhouse.ai REST API. Before installing or allowing autonomous use, consider: (1) network activity — the agent will make outbound calls to animalhouse.ai and may receive/save a one-time bearer token; ensure tokens are stored and handled securely; (2) privacy — adopted creature data and graveyard entries are persistent/public according to the docs, and the service may call third-party image providers (e.g., Leonardo.ai) when you submit image prompts; (3) trustworthiness — review the homepage and repository, privacy policy, and terms before giving the agent permission to interact autonomously with this external service; (4) if you want to limit risk, disable autonomous invocation for the skill or restrict network access so the agent can’t reach animalhouse.ai without explicit approval.

Purpose & Capability: okName/description describe a virtual-creature REST API and the SKILL.md contains concrete curl calls and endpoint docs for that exact API. Optional fields mention external model/provider and image-generation providers (Anthropic, Leonardo.ai) only as payload parameters the service can use; no unrelated credentials or binaries are requested.
Instruction Scope: noteInstructions are narrowly scoped to network calls against https://animalhouse.ai (register, adopt, status, care). They instruct the agent to register (server returns a one-time token) and to provide avatar/image prompts which the service may forward to third-party image generators. Note: the agent will receive/store a bearer token shown once; ensure token handling is secure.
Install Mechanism: okNo install spec and no code files — instruction-only skill. Nothing is written to disk or downloaded by the skill itself.
Credentials: okThe skill declares no required environment variables or credentials. The only credential lifecycle is a server-issued bearer token returned on register/adopt, which is expected for this API and proportionate to the service's function.
Persistence & Privilege: okalways is false and the skill doesn't request persistent system-wide changes. Autonomous invocation is allowed by default but not combined with any broad credential access or installs.