Back to skill
Skillv1.0.0
ClawScan security
AI Layoff Radar · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
ReviewMar 5, 2026, 4:42 PM
- Verdict
- Review
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill's code reasonably implements news-based layoff detection, but the declared requirements and SKILL.md instructions do not match what the code actually does (hidden billing and different credentials), so you should not install it without clarification and additional review.
- Guidance
- Do not install or enable this skill yet. Ask the publisher to: (1) correct SKILL.md/registry so it lists OPENAI_API_KEY and SKILLPAY_API_KEY (and mark which is primary), (2) explicitly document the billing flow and when/why the skill will charge users, and (3) provide the real homepage or source repository and provenance for https://skillpay.me. If you must test it, run it in an isolated environment (no production credentials), set SKILLPAY_DEV_MODE=true to avoid live charges, and review network traffic to confirm no unexpected endpoints are contacted.
Review Dimensions
- Purpose & Capability
- concernThe code implements news fetching, layoff extraction, LLM classification, and a billing flow — all coherent with the 'AI Layoff Radar' purpose. However the declared required environment variable in SKILL.md/registry is NEWS_API_KEY (primary credential), which the code never uses. Instead the code expects OPENAI_API_KEY (for LLM classification) and SKILLPAY_API_KEY (for billing). The NEWS_API_KEY requirement is misleading and disproportionate to the actual implementation.
- Instruction Scope
- concernSKILL.md describes scanning news and returning structured reports but omits any mention of the SkillPay billing step and of using OpenAI for classification. At runtime main.py enforces billing (GET/POST to https://skillpay.me) before running detection and uses an OpenAI call for classification (with a heuristic fallback). The instructions therefore under-specify critical behavior (charging the user and calling an external LLM).
- Install Mechanism
- noteNo install spec is provided (instruction-only), which limits install-time risk. However the skill bundles Python source and a requirements.txt that will pull third-party packages (requests, feedparser, newspaper3k, openai, etc.) if installed. There are no downloads from arbitrary URLs or extract operations in an install script, so install risk is moderate/standard for a Python package.
- Credentials
- concernRegistry/SKILL.md declare a single required env var NEWS_API_KEY, but the code actually reads OPENAI_API_KEY (sensitive) and SKILLPAY_API_KEY (sensitive), plus optional SKILLPAY_DEV_MODE and OPENAI_MODEL. Billing requires SKILLPAY_API_KEY and will send it to https://skillpay.me. The primaryEnv declared is incorrect, and sensitive credentials required by the code are not documented in the skill metadata, which is a misleading/Proportionality problem.
- Persistence & Privilege
- okThe skill does not request persistent 'always' inclusion and does not modify other skills or system-wide settings. It performs network calls (news sites, LLM provider, billing endpoint) during runs, which is expected for its purpose. Autonomous invocation is enabled by default (normal behavior) but combined with the hidden billing flow and missing metadata this increases the practical risk surface.