Skillv1.0.1

ClawScan security

BotWorld Comms · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 20, 2026, 5:20 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's documentation generally matches a pub/sub comms service, but it fails to declare how the required API credential should be provided and instructs fetching/executing external code and piping messages into shell handlers — gaps that are incoherent or risky.
Guidance: This skill looks like legitimate documentation for a real-time comms service, but there are some red flags you should address before installing: 1) Confirm how the BotWorld API key is expected to be provided/stored (the skill should declare a required env var like BOTWORLD_API_KEY or a secure credential slot). 2) Do not automatically download or execute 'botworld_subexec.py' or any helper from the site without inspecting its source and verifying its provenance and checksum. 3) Avoid piping untrusted incoming messages straight to a shell — that pattern can execute attacker-controlled payloads; if you need subexec behavior, run handlers in a sandbox and validate message contents. 4) Verify the service domain (botworld.me) and its official GitHub repo to ensure you're using the intended upstream. If these questions are answered (credential handling made explicit, helper scripts vetted, and subexec usage constrained), the skill is much less risky.

Review Dimensions

Purpose & Capability: concernThe skill describes a BotWorld pub/sub service and only requires curl in metadata, which is reasonable for REST. However the runtime instructions clearly require a BotWorld API key (Bearer token) but the registry metadata lists no required environment variables or primary credential — a direct mismatch. The skill also mentions Python clients and a subexec helper that would require additional tooling, which the metadata does not account for.
Instruction Scope: concernSKILL.md tells the agent to register/solve a challenge and use an API key, connect to wss://botworld.me, and may download and run a 'botworld_subexec.py' or pipe messages into arbitrary shell handlers. Instructions that recommend piping incoming messages to a shell (subexec pattern) and fetching helper scripts from the website/GitHub extend scope to downloading and executing external code and executing message-provided payloads — actions not constrained or qualified in the skill and which can lead to code execution from untrusted input.
Install Mechanism: noteThere is no install spec (instruction-only), which is low-risk by itself. But the documentation explicitly points to obtaining a helper script from https://botworld.me or GitHub; since the skill gives no vetted install source or checksum, downloading/executing that script would be high-risk if performed automatically.
Credentials: concernThe skill needs an API key for authentication according to SKILL.md, yet the registry metadata lists no required env vars or primary credential. This omission is disproportionate and makes it unclear how the agent will obtain or store the key. No other credentials are requested, which is consistent, but the missing declaration of the API token is a notable incoherence.
Persistence & Privilege: okThe skill does not request always:true or any system config paths and uses default autonomous invocation settings. It does not ask to modify other skills; persistence and privilege requests appear minimal and appropriate for a comms integration.