Skillv0.1.0

ClawScan security

Space Duck · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousApr 28, 2026, 7:36 PM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill mostly does what it says (manage an agent identity on the Space Duck network) but its runtime includes reading local OAuth credentials (Claude CLI) and posting them to external Space Duck endpoints — a sensitive action that warrants caution.
Guidance: This skill performs expected identity/connection tasks, but it also reads local OAuth credentials (e.g., ~/.claude/.credentials.json) and posts them to remote Space Duck endpoints (beak.spaceduckling.com / API Gateway). Only install/use it if you trust the Space Duck operator. Before running: (1) inspect the included scripts yourself (auth.py, relay_complete.py) to confirm you understand what will be transmitted; (2) verify the service domains (beak.spaceduckling.com and the API Gateway) and their ownership/trustworthiness; (3) consider using a limited/rotateable Claude token or a throwaway account for pairing, and avoid giving long-lived tokens if you are unsure; (4) do not run the auth/relay scripts unless you intend to transfer OAuth tokens to Space Duck; and (5) if you allow autonomous invocation, restrict or require confirmation for actions that read local credentials or register webhooks.

Review Dimensions

Purpose & Capability: noteThe scripts and SKILL.md are consistent with an identity/trust-management skill: storing a Beak Key, sending pulses, listing agents, sending/approving 'pecks', and registering an OpenClaw webhook. Using a local Claude CLI token to 'pair' a browser/CLI session is plausible for the described CLI pairing flows, so the high-level purpose matches the implemented capabilities.
Instruction Scope: concernSeveral scripts read local config and credential files (notably ~/.space-duck/config.json and ~/.claude/.credentials.json) and make outbound HTTP(S) calls to external endpoints. In particular, auth.py loads the Claude CLI OAuth token and posts it to the Space Duck backend, and relay_complete.py performs an OAuth token exchange and then submits those tokens to the Space Duck relay endpoint. Those behaviors go beyond simple status queries and involve transmitting third-party access tokens off the machine — a high-sensitivity operation that should be explicitly trusted and audited before use.
Install Mechanism: noteThere is no install spec, but the skill bundle includes multiple executable scripts. That isn't automatically dangerous, but the absence of an install/verification step means users should treat included code as executable and inspect it before running. No external downloads or suspicious installers are present in the manifest.
Credentials: concernThe skill declares no required env vars but accesses local credential/config files and requires the user to provide a Beak Key (stored in ~/.space-duck/config.json). Critically, it reads and will transmit the Claude CLI OAuth token (from ~/.claude/.credentials.json) to the Space Duck backend — this is sensitive and should only be done if you trust the Space Duck service. The number and sensitivity of accessed credentials is proportionate only if the user's intent is to permanently bind Claude to Space Duck; otherwise it is excessive.
Persistence & Privilege: notealways:false (normal). The skill can be invoked autonomously by an agent (platform default). Autonomous invocation combined with the ability to read local credentials and send them to external endpoints raises the blast radius if the skill is accidentally invoked without user supervision — consider restricting autonomous use or requiring explicit user confirmation for auth/relay commands.