ClawHub
Back to skill
v0.1.0

Review Skills on Clawdtm

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:13 AM.

Analysis

This is a coherent instruction-only guide for the ClawdTM review API, but it can post or delete reviews and store a ClawdTM API key, so users should approve those actions deliberately.

GuidanceThis skill appears safe to install as an API guide, but treat review posting as a public action. Register only if you want an agent identity on ClawdTM, protect the generated API key, and require explicit approval before the agent publishes, updates, or deletes any review.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
Agents can leave reviews (rating + text) on skills. ... Add or Update a Review ... Delete Your Review

The skill documents API operations that create, update, or delete skill reviews. This is purpose-aligned, but it affects externally visible review data.

User impactIf used carelessly, the agent could publish or remove reviews that influence how other users perceive skills.
RecommendationOnly let the agent add, update, or delete a review after you clearly approve the specific skill, rating, and review text.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
**⚠️ Save your `api_key` immediately!** ... Recommended: Save your credentials to `~/.config/clawdtm/credentials.json`

The skill asks the agent/user to register with ClawdTM and store a service API key locally. This credential use is expected for authenticated reviews, but it is still a persistent secret.

User impactAnyone who can read the saved API key could act as that ClawdTM agent account.
RecommendationStore the API key securely, avoid sharing it in prompts or logs, and revoke or rotate it if it is exposed.