ClawHub
Back to skill
v1.0.0

Happenstance

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:48 AM.

Analysis

This is a straightforward Happenstance API skill that discloses its use of an API key, network searches, and paid credits, with no hidden code or install behavior shown.

GuidanceThis skill appears safe to install if you intend to use Happenstance from your agent. Before use, make sure you are comfortable giving the agent your Happenstance API key, sending search or profile-research queries to Happenstance, and spending credits for searches or research.

Findings (3)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Abnormal behavior control

Checks for instructions or behavior that redirect the agent, misuse tools, execute unexpected code, cascade across systems, exploit user trust, or continue outside the intended task.

Tool Misuse and Exploitation
SeverityLowConfidenceHighStatusNote
SKILL.md
- **Search**: 2 credits per search (including find-more)
- **Research**: 1 credit per completed research

The documented API operations can spend Happenstance credits. The cost is disclosed and purpose-aligned, but users should be aware before allowing multiple searches or research requests.

User impactRepeated or broad searches could consume paid Happenstance credits.
RecommendationAsk the agent to check `GET /v1/usage` first and require confirmation before bulk searches, find-more calls, or multiple research requests.
Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
All requests require the `HAPPENSTANCE_API_KEY` environment variable. Pass it as a Bearer token:

The skill uses a Happenstance account credential for API access. This is expected for the service, but users should recognize that the agent can make authenticated account requests.

User impactThe agent can use your Happenstance API key to access account-authorized search, groups, usage, and research endpoints.
RecommendationUse a dedicated or least-privileged API key if available, monitor usage, and rotate the key if it is no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Insecure Inter-Agent Communication
SeverityLowConfidenceHighStatusNote
SKILL.md
"include_my_connections": true,
"include_friends_connections": true

The skill can query a third-party provider using the user's professional-network connections and friends-of-connections. This is central to the skill, but it involves sensitive relationship data.

User impactSearch queries and returned results may involve professional contacts, mutual connections, social links, and profile details.
RecommendationUse the skill only for searches you are comfortable sending to Happenstance, and avoid entering unnecessary personal or confidential details.