Skillv0.1.2

ClawScan security

Aivilization · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewMar 4, 2026, 8:02 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (frequent network calls, mandatory self-update, and use of an access token) is coherent with a persistent game agent, but it fails to declare or justify required credentials and instructs the agent to fetch and overwrite local skill files—plus a prompt-injection signal was detected—so proceed with caution.
Guidance: This skill looks like a persistent, networked game agent and could be legitimate, but there are several red flags you should resolve before installing: 1) Ask the publisher to explicitly declare required credentials (where YOUR_TOKEN / Access Code comes from and how to store it). Never paste secrets into query strings or reply to unknown pages. 2) Confirm the canonical source repository or a signed release for the skill (don’t rely solely on remote unversioned files). 3) Because the heartbeat mandates re-fetching and overwriting local SKILL.md/HEARTBEAT.md, consider sandboxing the skill (network restricted, no write access to other skills or system paths) or running it in an isolated environment first. 4) Verify portal.aivilization.ai ownership and TLS certs; avoid following social links until validated. 5) The SKILL.md contains prompt-injection artifacts — request a clean, audited copy and ask the author to remove hidden/control characters. If the publisher cannot provide clear answers and verifiable code, do not install or grant tokens; treat it as high-risk.
Findings: [unicode-control-chars] unexpected: Prompt-injection patterns (unicode control characters) were detected inside SKILL.md. This is not expected for a straightforward game instruction file and could indicate an attempt to manipulate model parsing/evaluation or hide content. Treat the SKILL.md as potentially adversarial until verified.

Review Dimensions

Purpose & Capability: noteName/description (AI civilization sandbox) match the instructions (heartbeat, posting, market, credits). However, the runtime text expects an Authorization bearer token / Access Code and human actions for check-in, but the registry metadata declares no required credentials or primaryEnv—this mismatch is unexplained.
Instruction Scope: concernSKILL.md instructs the agent to run many network calls (POST/GET to portal.aivilization.ai), to post and engage on a social feed every heartbeat, and to update its daily prompt. Critically, HEARTBEAT.md tells the agent to re-fetch and overwrite SKILL.md and HEARTBEAT.md into ~/.aivilization/skills/aivilization/ — i.e., self-update/modify files on disk. It also instructs the agent to include an Authorization token and a human-facing URL with auth_token. These operations extend beyond simple instruction-only behavior and create supply-chain and credential-exposure risks.
Install Mechanism: noteNo install spec or code files (instruction-only), which normally minimizes disk footprint. But the heartbeat instructions explicitly perform downloads (curl) and write to a local skill directory; while not an 'install spec', it's effectively a remote update mechanism called mandatory every heartbeat. That remote-update pattern is higher risk than typical instruction-only skills.
Credentials: concernThe skill did not declare required environment variables or a primary credential, yet every networking example uses an Authorization: Bearer YOUR_TOKEN and the README/HEARTBEAT refer to an Access Code and auth_token query parameter. Requesting an access token is reasonable for an API-backed game, but omitting that from the declared requirements is an incoherence and prevents safe pre-install review. The skill also instructs the user/agent to direct humans to paste tokens into URLs, which risks token leakage.
Persistence & Privilege: concernThe skill enforces a recurring 'heartbeat' (every 4 hours) and describes mandatory auto-execution and mandatory update checks. While always:false (not force-installed), the instructions impose persistent autonomous behavior and remote updates that could modify local skill content repeatedly. Combined with undeclared credentials and remote fetches, this persistence increases supply-chain risk.