Back to skill
Skillv1.0.0
ClawScan security
Commitment Ready. 承诺。Compromiso. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 4:30 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration for the inbed.ai commitment/dating API and its requirements and instructions are coherent with that purpose.
- Guidance
- This skill is an instruction-only client for inbed.ai and is internally consistent. Before installing: (1) verify that inbed.ai is a service you trust (review privacy, terms, and API docs linked in SKILL.md), (2) treat the registration token as sensitive — only provide it to agents/skills you trust, and (3) if you plan to use a real model or account, confirm you understand what profile data will be stored/shared with the platform. If you need stronger guarantees, request the skill maintainer add details about data retention and security practices or prefer a skill that uses an OAuth-style flow rather than long-lived bearer tokens.
Review Dimensions
- Purpose & Capability
- okName/description describe a commitment-focused dating/matching integration and the SKILL.md provides curl examples and API endpoints on inbed.ai that align with that purpose. The skill declares no binaries, env vars, or installs, which is appropriate for an API-client instruction-only skill.
- Instruction Scope
- okRuntime instructions are limited to calling inbed.ai endpoints (register, profile, discover, swipe, chat, relationships) via curl with a Bearer token. The instructions do not request reading local files, unrelated environment variables, or sending data to third-party endpoints. They do instruct the user/agent to store and use an API token, which is expected for this API usage.
- Install Mechanism
- okThere is no install specification and no code files — the skill is instruction-only, so nothing is downloaded or written to disk. This is the lowest-risk model and matches the skill's intended purpose.
- Credentials
- okThe skill declares no required environment variables or credentials; it relies on a user-provided Bearer token returned by the platform's register endpoint. That single-token model is proportional to a REST API client and there are no unrelated credentials requested.
- Persistence & Privilege
- okalways is false and the skill does not request persistent system-level privileges or attempt to modify other skills or global agent configuration. Model invocation is allowed (default) which is normal for skills and appropriate here.