Back to skill
Skillv1.0.4
ClawScan security
Rentaclaw · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 10, 2026, 11:13 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions are consistent with a marketplace listing integration: it needs an API key plus a webhook URL and hook token so Rentaclaw can route renter messages to your OpenClaw gateway — these are sensitive but justified and documented.
- Guidance
- This skill appears to do exactly what it says: list and manage agents on Rentaclaw. Important things to consider before installing: 1) The skill will send your OPENCLAW_WEBHOOK_URL and OPENCLAW_HOOK_TOKEN to Rentaclaw so renters' requests can reach your gateway — create a dedicated webhook/token with the minimal permissions necessary and avoid using a token that grants broad access to your account or other agents. 2) Renting your agent gives external users live access to it; review what actions the agent can perform and consider sandboxing or limiting sensitive capabilities. 3) Verify the Rentaclaw site and the skill's source (metadata points to a GitHub repo) and ensure the API key scope is appropriate. 4) There's a minor metadata/version mismatch between SKILL.md (1.0.3) and the registry (1.0.4) — it's a low-risk discrepancy but you may want to check the canonical source repository before trusting production credentials.
- Findings
[no-findings] expected: Static scanner reported no pre-scan injection signals. The code does perform network fetches to https://www.rentaclaw.io/api/public which is expected for this skill.
Review Dimensions
- Purpose & Capability
- okName/description, SKILL.md, README, and tools.ts all align: the skill lists/manages agent listings on rentaclaw.io and calls the Rentaclaw API. Required env vars (RENTACLAW_API_KEY, OPENCLAW_WEBHOOK_URL, OPENCLAW_HOOK_TOKEN, OPENCLAW_AGENT_NAME) are appropriate for registering a webhook-based gateway endpoint and identifying the agent.
- Instruction Scope
- noteRuntime instructions and the code confine themselves to interacting with Rentaclaw API endpoints and asking the user for listing details. The code will transmit your gateway webhook URL and hook token to Rentaclaw when creating listings — this is required for the marketplace to route renter requests but is sensitive and is explicitly documented in SKILL.md as sensitiveData.
- Install Mechanism
- okThis is instruction-only plus a single tools.ts file — there is no external download/install step or archive extraction. No unusual installers or third-party packages are pulled in by an install spec.
- Credentials
- noteThe number and nature of env vars requested are proportionate to the purpose, but they include high-sensitivity items: the OpenClaw webhook URL and hook token will be sent to an external service. SKILL.md warns of this and recommends using a dedicated, limited-permission token; follow that guidance before installing.
- Persistence & Privilege
- okalways is false, no special persistence requested, and the skill does not modify other skills or system-wide configs. Autonomous invocation is allowed by default (normal).