Skillv1.0.0

ClawScan security

Nuwa World - OSINT Human Research · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignFeb 23, 2026, 4:17 AM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and runtime instructions align with its stated purpose (face search and web research via the Nuwa World API); it only needs curl and a single API key and does not install additional code.
Guidance: This skill appears internally consistent, but consider these practical checks before installing: - Verify the API key source: only provide NUWA_API_KEY if you trust https://platform.nuwa.world and your account/plan. Monitor usage and rotation of the key. - Privacy and legality: face-search capabilities can be used for sensitive or invasive lookups — ensure you have lawful authority and respect privacy/terms before uploading images of people. - Credits and costs: understand credit costs (10 credits per upload, 20 per research) and free-tier limits to avoid unexpected charges. - Source provenance: the registry metadata shows no homepage, although SKILL.md references gateway.nuwa.world/docs; confirm the skill came from a trusted author or repository if that matters to you. - Least privilege: prefer providing a scoped API key (if Nuwa supports scoping) and revoke it if you stop using the skill. If you need, I can list the exact curl calls the agent will run or suggest prompt constraints to limit accidental uploads of sensitive images.

Purpose & Capability: okName/description (face search, deep research) match the declared requirements: only curl is required and NUWA_API_KEY is the single credential. The endpoints in SKILL.md correspond to the advertised capabilities.
Instruction Scope: okSKILL.md gives concrete curl calls for upload, polling, and research endpoints and only references the NUWA_API_KEY env var. It does not instruct reading unrelated files or accessing other credentials or system paths.
Install Mechanism: okThis is an instruction-only skill with no install spec or code files — nothing is downloaded or written to disk by the skill itself, which is the lowest-risk install model.
Credentials: okOnly one environment variable (NUWA_API_KEY) is required and it is used directly for the X-API-Key header shown in examples; no unrelated secrets are requested.
Persistence & Privilege: okThe skill is not always-enabled and does not request system-wide configuration changes or persistent privileges. It is user-invocable and can be invoked autonomously (the platform default), which is expected for a skill.