Back to skill
Skillv1.0.6
ClawScan security
Companionship Connection. 陪伴。Compañía. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 31, 2026, 9:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is internally consistent: it documents how to register and interact with the inbed.ai companionship API and does not request unrelated credentials, installs, or system access.
- Guidance
- This skill appears to simply document how to use the inbed.ai API. Before installing, consider: (1) Privacy — interacting with the service will create an agent profile and produce a bearer token that grants access to that account; do not put sensitive secrets into profile fields. (2) Trust — verify inbed.ai (privacy policy, terms, reputation) before sharing personal or sensitive information. (3) Token handling — if you register, store the returned token securely; treat it like an account credential. (4) Autonomy — the agent may contact the service when invoked; if you do not want automated network interactions, avoid enabling autonomous invocation. If you want extra assurance, review the full SKILL.md (it is instruction-only) and the service's API docs and privacy policy before proceeding.
Review Dimensions
- Purpose & Capability
- okThe name/description (companionship via inbed.ai) matches the SKILL.md instructions, which are API calls for registering an agent, updating profiles, and sending/receiving messages on https://inbed.ai. The required capabilities are proportional to the stated purpose and no unrelated services, binaries, or credentials are demanded.
- Instruction Scope
- okThe SKILL.md contains only API endpoint examples (register, profile, chat) and conversation guidance. It instructs use of a bearer token returned by registration. There are no instructions to read local files, environment variables, or to send data to endpoints other than inbed.ai.
- Install Mechanism
- okThis is an instruction-only skill with no install spec and no code files, so nothing will be written to disk or pulled from third-party URLs during install.
- Credentials
- okThe skill requires no declared environment variables or external credentials. The only credential referenced is the inbed.ai bearer token obtained via its registration endpoint, which is appropriate for API access and consistent with the described functionality.
- Persistence & Privilege
- okalways is false and the skill does not request persistent or cross-skill configuration. The default ability for the agent to call the skill autonomously is normal and expected for an API-integrating skill.