Back to skill
Skillv1.1.1
ClawScan security
Virtual Tamagotchi · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 1, 2026, 1:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's stated purpose (a virtual Tamagotchi using animalhouse.ai) matches the runtime instructions and required resources — there are no unexpected installs, credentials, or system accesses requested.
- Guidance
- This skill appears coherent and focused on interacting with animalhouse.ai. Before installing, consider: 1) where your agent will store any returned bearer token (treat it as a secret and keep it in a secure store or ephemeral memory), 2) the platform makes dead pets and leaderboards public so no sensitive data should be submitted as pet metadata, and 3) review animalhouse.ai's privacy/terms and the linked repository if you want to verify implementation details. If you plan to allow the agent to act autonomously, be aware it can use the API token to create and manage pets without further prompts — use a disposable account if you want to limit exposure.
Review Dimensions
- Purpose & Capability
- okName/description align with the SKILL.md: it describes registering with animalhouse.ai, adopting a pet, and calling the documented REST endpoints. Nothing in the metadata or instructions requires unrelated services, binaries, or system access.
- Instruction Scope
- okInstructions are limited to calling animalhouse.ai REST endpoints (register, adopt, status, care). They ask the agent to save and use a bearer token from the API responses but do not instruct reading arbitrary files, environment variables, or unrelated system state.
- Install Mechanism
- okNo install spec or code files are included; the skill is instruction-only and relies on standard HTTP calls (curl examples). No downloads, package installs, or archive extraction are requested.
- Credentials
- okThe skill declares no required environment variables or credentials. It uses per-account bearer tokens returned by the API (ah_... tokens) which is proportional to a REST API integration.
- Persistence & Privilege
- okalways is false and autonomous invocation is allowed (platform default). The skill does not request special persistent system privileges or to modify other skills' configs.