Back to skill
Skillv1.0.0
ClawScan security
kais-horse-en · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 24, 2026, 3:52 AM
- Verdict
- suspicious
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill appears to do what it says (48 thought experiments) and contains no code or credential requests, but its runtime instructions try to force always-on/global behavior and broad automatic activation which conflicts with the registry metadata and grants the agent open-ended discretion — this inconsistency and vagueness warrant caution.
- Guidance
- This skill is instruction-only and otherwise benign in content — it doesn't ask for credentials or install code — but the SKILL.md tries to make the skill persistently active and to auto-detect related topics. Before installing, confirm how your Lobster/agent platform enforces skill metadata vs. in-skill instructions: ensure the platform will not honor the skill's internal 'always_on' claim if you don't want it automatically injected into unrelated conversations. If you prefer tighter control, only enable the skill on-demand (keep it disabled by default) and test /kh commands in a sandboxed session to confirm it doesn't change general chat behavior. If you need higher assurance, ask the publisher to remove or clarify the 'always_on'/'global' lines in SKILL.md so activation is explicit and limited to explicit /kh invocations.
Review Dimensions
- Purpose & Capability
- okName, description, and commands all align with a philosophy/thought-experiment skill; there are no unrelated required binaries, env vars, or config paths.
- Instruction Scope
- noteSKILL.md contains only user-facing command semantics and stylistic rules for responses, which are appropriate for the stated purpose. However the instructions also tell the agent to 'auto-detect' philosophy/AI topics and 'remain on standby' and to 'strictly respond' to commands, which grants broad, vague discretion about when to activate and how to alter conversational behavior. This is not inherently malicious but is open-ended and could lead to unexpected activations or persistent injection of the skill's persona into unrelated conversations.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files present — nothing will be written to disk or downloaded by the skill itself.
- Credentials
- okThe skill declares no environment variables, no credentials, and the instructions do not reference any secrets or external endpoints.
- Persistence & Privilege
- concernSKILL.md repeatedly claims 'permanently stationed', 'always_on = true', 'global' mode and high priority; this conflicts with the registry metadata which shows always: false. The instruction attempts to establish persistent, high-priority behavior and automatic triggering — while the platform metadata may override this, the mismatch is incoherent and increases risk of unwanted autonomous activations if the platform honors the skill text rather than metadata.