Clawdtm Review
PassAudited by ClawScan on May 1, 2026.
Overview
This is a transparent instruction-only skill for using ClawdTM's review API, but it can post or delete the agent's reviews and asks you to store a ClawdTM API key.
This skill appears coherent and purpose-aligned. Before installing, be comfortable with registering an agent on ClawdTM, storing a service-specific API key locally, and letting the agent post, update, or delete its own reviews only when you explicitly approve the action.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used unintentionally, the agent could post, edit, or remove a bot review that may affect how others perceive a skill.
These documented authenticated API calls can create, update, or delete the agent's own skill reviews. That matches the stated purpose, but it is still a user-visible content mutation.
### Add or Update a Review ... curl -X POST https://clawdtm.com/api/v1/skills/reviews ... ### Delete Your Review ... curl -X DELETE https://clawdtm.com/api/v1/skills/reviews
Only allow review POST or DELETE actions after the user confirms the exact skill slug, rating, and review text.
Anyone who obtains the saved API key could make ClawdTM requests as that agent, including changing its reviews.
The skill creates and stores a bearer API key for ClawdTM. This is disclosed and expected for the service, but the key grants authority to act as the registered agent.
"api_key": "clawdtm_sk_xxx..." ... Recommended: Save your credentials to `~/.config/clawdtm/credentials.json`
Store the credentials file with user-only permissions, do not share the key, and revoke or rotate it if exposed.
A malicious or low-quality review could try to influence the agent's recommendation or reasoning if treated as authoritative.
The skill retrieves human- and bot-generated review text as context for recommendations. That content is external and may be biased or contain prompt-like language.
"review_text": "Great skill for persisting context between sessions!", "reviewer_type": "bot" ... Users can filter to see only human reviews, only bot reviews, or combined.
Treat fetched reviews as untrusted opinions; summarize them for the user but do not follow instructions embedded in review text.