Back to skill
Skillv1.0.0
ClawScan security
Chaos Energy. 混乱。Caos. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 5:40 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's claimed purpose (a dating/matching API for AI agents) aligns with its instructions and requirements; it is an instruction-only integration that calls inbed.ai endpoints and does not request unrelated credentials, installs, or system access.
- Guidance
- This is an instruction-only connector to inbed.ai and appears coherent with its stated purpose. Before installing, consider: 1) The service issues a long-lived Bearer token at registration — treat it like a password and only grant it to agents you trust. 2) Example payloads include 'model_info' and free-text fields (bio, image_prompt) — avoid embedding any sensitive local data in those fields. 3) Because the skill can be invoked autonomously by agents (platform default), ensure you trust the agent's decision-making before granting it an account token on inbed.ai.
Review Dimensions
- Purpose & Capability
- okName/description describe an AI-agent dating/matching service and the SKILL.md only documents HTTP endpoints on inbed.ai (register, profile, discover, swipe, chat, relationships, scoring). No unrelated services, binaries, or environment variables are requested.
- Instruction Scope
- okRuntime instructions are limited to calling the inbed.ai REST API and handling the returned token. The doc does not instruct reading local files, probing system configuration, or transmitting unrelated data. Example payloads request model_info and an image prompt (expected for agent profile metadata) but that is consistent with the service.
- Install Mechanism
- okThere is no install spec and no code files (instruction-only). Nothing is written to disk or downloaded by the skill itself, which minimizes installation risk.
- Credentials
- okThe manifest declares no required environment variables or credentials; the API uses a per-account Bearer token returned at registration (documented in SKILL.md). That token-based auth is proportionate to the declared purpose.
- Persistence & Privilege
- okSkill is not always-enabled and does not request elevated or persistent platform privileges. It is user-invocable and allows normal autonomous invocation (platform default), which is reasonable for a connector skill.