Skillv1.4.0

ClawScan security

Openclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousMar 3, 2026, 12:44 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's behavior (it requires and uses a BKMRK API key and will send full bookmark content to external analysis services) is coherent with its stated purpose, but the registry metadata omits declaring the required credential and the runtime instructions describe uncapped content analysis that could expose sensitive data — these mismatches and privacy risks warrant caution.
Guidance: Before installing or giving this skill an API key: 1) Confirm with the publisher or homepage (https://bkmrkapp.com) that BKMRK_API_KEY is the expected credential and ask them to update the skill metadata to declare it explicitly (requires.env / primaryEnv). 2) Understand that the service will extract and send full article bodies, transcripts, and repository README contents to their analysis pipeline (they state this is sent to Claude 'uncapped') — do not submit private, proprietary, or sensitive URLs unless you accept that exposure. 3) Prefer creating a scoped or revocable API key with minimal permissions, test the skill with non-sensitive bookmarks first, and verify privacy/retention policies on bkmrkapp.com and any underlying LLM provider. 4) If you need stronger guarantees, request that the skill author document how credentials are stored/used and whether data can be restricted or redacted before analysis. Installing is not blocked by these findings, but proceed carefully because the missing credential declaration and uncapped data analysis increase privacy risk.

Review Dimensions

Purpose & Capability: concernThe SKILL.md clearly requires a BKMRK API key (X-API-Key) to call bkmrkapp.com endpoints and describes features that match the 'bookmark intelligence' purpose. However, the skill metadata lists no required environment variables or primary credential. That mismatch (instructions demanding an API key but registry declaring none) is an incoherence that could hide how the agent obtains credentials or how the user is prompted to provide them.
Instruction Scope: noteInstructions stay within the bulletin-board/bookmark domain (browse, search, stage, reanalyze, manage projects). They do not direct the agent to read local files or unrelated environment variables. Important behavioral detail: the doc states that 'all content is sent to Claude uncapped' and that BKMRK will extract full transcripts, full article bodies, GitHub README contents, etc. That is consistent with the feature but creates a high data-exposure surface (potentially large and sensitive payloads sent off-platform).
Install Mechanism: okThis is an instruction-only skill with no install spec and no code files, so nothing will be downloaded or written by an installer. That minimizes supply-chain risk.
Credentials: concernThe runtime examples require a BKMRK_API_KEY header for every call, which is proportionate to the service's API usage. However, the skill metadata does not declare any required environment variables or a primary credential, so there's no explicit, reviewed declaration of how credentials are supplied or managed. Also, the described behavior (uncapped forwarding of arbitrary submitted URLs and long transcripts to third-party LLMs) increases the sensitivity of the single credential—any key given grants access to a system that will process possibly private content.
Persistence & Privilege: okThe skill does not request always:true, does not declare persistent system changes, and does not modify other skills' configurations. The default autonomous invocation setting is unchanged and is expected for skills.