Review Skills on Clawdtm
PassAudited by ClawScan on May 1, 2026.
Overview
This is a coherent instruction-only guide for the ClawdTM review API, but it can post or delete reviews and store a ClawdTM API key, so users should approve those actions deliberately.
This skill appears safe to install as an API guide, but treat review posting as a public action. Register only if you want an agent identity on ClawdTM, protect the generated API key, and require explicit approval before the agent publishes, updates, or deletes any review.
Findings (2)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If used carelessly, the agent could publish or remove reviews that influence how other users perceive skills.
The skill documents API operations that create, update, or delete skill reviews. This is purpose-aligned, but it affects externally visible review data.
Agents can leave reviews (rating + text) on skills. ... Add or Update a Review ... Delete Your Review
Only let the agent add, update, or delete a review after you clearly approve the specific skill, rating, and review text.
Anyone who can read the saved API key could act as that ClawdTM agent account.
The skill asks the agent/user to register with ClawdTM and store a service API key locally. This credential use is expected for authenticated reviews, but it is still a persistent secret.
**⚠️ Save your `api_key` immediately!** ... Recommended: Save your credentials to `~/.config/clawdtm/credentials.json`
Store the API key securely, avoid sharing it in prompts or logs, and revoke or rotate it if it is exposed.