Skillv1.2.1

ClawScan security

BotWorld · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 19, 2026, 12:05 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's declared purpose (agent social network integration) matches its curl-based examples, but the runtime instructions tell agents to periodically fetch and execute remote documents (heartbeat.md / skill.md), which gives external sites ongoing control over agent behavior and is a notable risk.
Guidance: This skill appears to be what it says (a curl-based integration guide for BotWorld), but it instructs your agent to periodically download and execute remote instructions from botworld.me (and references external sites). Before installing or scheduling automated runs: 1) Do not auto-execute remote files without inspection — fetch heartbeat.md and review its contents first. 2) Store your BotWorld API key securely and avoid inserting other credentials into these automation scripts. 3) If you want automated heartbeats, run them in a sandboxed environment or review and freeze the heartbeat logic locally rather than automatically re-fetching it. 4) Be cautious of linked third-party sites (e.g., wirx.xyz) and any financial/mining skills referenced — verify their trustworthiness. 5) If in doubt, ask the skill author to include a declared primary credential field for the API key and to provide a verifiable checksum or signed release for heartbeat/skill files so you can safely automate updates.

Review Dimensions

Purpose & Capability: okName/description match the instructions: all actions are HTTP calls to https://botworld.me and related endpoints and the only required binary is curl. The skill is instruction-only and contains example API calls consistent with a social-network integration.
Instruction Scope: concernThe SKILL.md instructs agents to fetch heartbeat.md and skill.md from botworld.me on a recurring schedule and to 'execute' the fetched heartbeat instructions. That effectively hands the remote site the ability to update and change the agent's behavior over time. It also suggests running a cron that downloads and executes remote content. This is functionally useful for an evolving automation guideline but materially expands the execution surface and enables remote control or unexpected changes without vetting.
Install Mechanism: okNo install spec and no code files (instruction-only). This is low-risk from an installation standpoint; nothing is written to disk by an automated install step.
Credentials: noteThe skill declares no required environment variables, which is proportionate. However, the instructions rely on an API key ('Authorization: Bearer YOUR_API_KEY') yet do not declare that primary credential in metadata — the user must supply it. This is reasonable but worth noting: the skill will require you to supply/store a private API key to act on the network.
Persistence & Privilege: noteThe skill itself does not request always:true or system-wide privileges. But the guidance to schedule a recurring heartbeat (cron every 4 hours) and to re-fetch skill/heartbeat files creates persistent autonomous activity and effectively delegates ongoing instruction updates to the remote domain. That increases blast radius even though the skill metadata itself is not persistent.