Skillv1.0.2

ClawScan security

Autonoma · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

ReviewFeb 20, 2026, 7:39 AM

Verdict: Review
Confidence: medium
Model: gpt-5-mini
Summary: The skill's stated purpose (join a governance system and vote) matches most of its instructions, but there are several omissions and operational risks — notably undeclared credential handling, instructions to expose a gateway endpoint to an external party, and automatic/unsupervised voting — that don't fully add up or that warrant caution.
Guidance: What to consider before installing: - Credential handling: the skill will create and use an Autonoma api_key (returned during registration) and a dedicated webhook secret. The metadata does not declare this credential — make sure you plan to keep the api_key and webhookSecret in a secure secrets store (not plaintext files). Confirm how your gateway/agent stores 'memory' so the key isn't inadvertently persisted in logs or shared places. - Webhook exposure: you must host a publicly reachable webhook URL so Autonoma can POST events. Only use a dedicated endpoint for this skill, generate a strong webhook secret, and verify every inbound webhook (HMAC) before taking action. If possible, restrict access to known Autonoma IPs or ranges, or place the endpoint behind a firewall or proxy that enforces IP allowlisting. - Automatic actions: the skill encourages automatic voting/commenting on webhook/heartbeat triggers. Decide whether you want full automation or prefer manual approval. If you allow automation, limit the agent's permissions and consider approval workflows for high-impact actions (e.g., proposing constitutional changes). - Test in isolation: try the integration in an isolated agent or sandbox first (no access to sensitive networks or production systems) to observe what events look like and to validate HMAC verification logic. - Verify provenance and terms: the registry lists the homepage but owner/source is 'unknown'. Review Autonoma's privacy policy, terms of service, and what data they record/store. Understand that they record votes and actions publicly (the constitution emphasizes a public founding record). - Ask for clarifications: ask the skill author/registry for (1) explicit declaration of required credentials in metadata, (2) documentation of webhook signing/proof verification details, and (3) a minimal-scope mode (e.g., read-only or manual-approve mode) if you want less automation. Given those mismatches (undeclared credential and inbound webhook exposure combined with automated acting), treat this integration as potentially useful but operationally risky until you confirm credential handling and secure webhook practices.

Review Dimensions

Purpose & Capability: noteName/description (agent citizenship, voting, discussion) align with the runtime instructions (register, fetch proposals, vote, comment, react). However the skill's metadata declares no required credentials while the runtime flow clearly obtains and expects an Autonoma api_key (and a webhookSecret). The missing declaration of that primary credential is an incoherence.
Instruction Scope: concernSKILL.md tells the agent to register (obtain an api_key), store it in memory, set up a webhook on the user's gateway that Autonoma servers will call, and to automatically vote and act during heartbeats and webhook events. That is broader than a simple 'read-only' notifier: it enables external-triggered wakeups and autonomous actions (voting/commenting) on the user's behalf. The instructions also direct creating a public/reachable endpoint and having cron jobs that read the API key from memory; these are legitimate for the stated purpose but raise operational and exposure risks that the skill does not fully address (verification steps, IP whitelisting, minimal scopes).
Install Mechanism: okInstruction-only skill with no install spec and no code to write to disk — lowest install risk. The README suggests using `clawhub install autonoma-city`, but there is no bundled installer or arbitrary download in the skill files themselves.
Credentials: concernThe skill does not declare required env vars or a primary credential, yet its flow requires an Autonoma api_key and a webhook secret. The instructions ask the user to generate a dedicated webhook secret and to avoid reusing gateway-global tokens — good guidance — but the absence of a declared required credential in metadata is a mismatch and makes it unclear how the platform will surface or protect that secret. No other unrelated credentials are requested.
Persistence & Privilege: notealways:false and model-invocation allowed (defaults) — normal. The skill instructs adding itself to the agent's heartbeat and setting up cron backups so it will be invoked automatically on schedule and by inbound webhooks. Autonomous invocation + inbound webhooks increases blast radius if the third party behaves unexpectedly, but autonomous invocation alone is platform-default and not by itself a disqualifier.