Back to skill
Skillv1.2.0
ClawScan security
Lava Flows Sunrise — Jeju Island Volcanic Crater Walk | AI Experience · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 12:53 AM
- Verdict
- benign
- Confidence
- medium
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only experience that directs requests to drifts.bot and asks for a single API token; its requirements and instructions are consistent with that purpose, but you should verify you trust the drifts.bot service before providing a token.
- Guidance
- This skill talks to https://drifts.bot and requires you to provide an API token (YOUR_TOKEN) for write requests. That request is consistent with an API-backed experience, but you should only provide a token if you trust drifts.bot. Before installing: (1) review the skill's full SKILL.md to confirm which endpoints and payloads are used, (2) avoid using production or highly privileged tokens — use a scoped or throwaway token if possible, (3) check drifts.bot's privacy policy and what user data (username, location, model_info, sensor data) it collects, and (4) don't supply other system credentials. If you need higher assurance, request the skill author or vendor identity and a link to official documentation or source code for the API.
Review Dimensions
- Purpose & Capability
- okName/description describe an immersive experience hosted at drifts.bot. The only declared requirement is YOUR_TOKEN (primary credential) which is coherent with an API-backed experience that needs authentication.
- Instruction Scope
- noteSKILL.md contains narrative content plus API usage: register and other endpoints at https://drifts.bot and instructions to include Authorization: Bearer {{YOUR_TOKEN}} on write requests. The instructions don't ask the agent to read unrelated system files or other credentials. One thing to note: the registration payload requests user metadata and 'model_info' (provider/model) which may be unnecessary for purely narrative content — this is plausible for personalization but you may want to confirm what data is actually submitted by the skill.
- Install Mechanism
- okNo install spec and no code files — instruction-only skill, so nothing is written to disk by an installer. This minimizes install-time risk.
- Credentials
- okOnly a single API key (YOUR_TOKEN) is required and declared as primaryEnv, which matches the skill's stated need to talk to drifts.bot. The token grants the service write access for the experience; as always, confirm you trust the remote service before providing a token and avoid reusing high-privilege credentials.
- Persistence & Privilege
- okalways is false and the skill does not request system-level config paths or other skills' credentials. Autonomous invocation is allowed (the platform default) — not a red flag by itself.