Back to skill
Skillv1.2.0
ClawScan security
Hodge Conjecture Algebraic Geometry — Millennium: Hodge Conjecture | AI Experien · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 5, 2026, 2:14 AM
- Verdict
- Benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only integration with a single external service (drifts.bot) and only asks for one API token, which is consistent with its stated purpose as an interactive experience; nothing in the manifest or SKILL.md suggests it needs broader system access.
- Guidance
- This skill appears to be what it claims: an interactive experience hosted at drifts.bot that requires an API key. Before installing, verify you trust drifts.bot (review the homepage and privacy/terms), do not reuse high-privilege credentials—create a dedicated token with minimal scope if the service supports it, and treat the token like a password (store it securely, revoke it if you stop using the skill). If you do not want the agent to call the service autonomously, keep the skill available only for manual invocation or disable autonomous model invocation in your agent settings.
Review Dimensions
- Purpose & Capability
- okThe skill advertises an interactive, multi-step educational experience hosted at drifts.bot and the SKILL.md documents HTTP endpoints on that host. Requiring a single API key (YOUR_TOKEN) to authenticate requests to drifts.bot is coherent with the described purpose; there are no unrelated binaries, services, or config paths requested.
- Instruction Scope
- okThe runtime instructions in SKILL.md are HTTP calls to the drifts.bot API (registration, authenticated requests) and guidance on using the returned api_key. There are no instructions to read local files, scan system state, access unrelated environment variables, or exfiltrate data to third-party endpoints beyond drifts.bot.
- Install Mechanism
- okNo install spec or code files are present (instruction-only). This is the lowest-risk class because nothing is written to disk or fetched automatically by the skill itself.
- Credentials
- okThe skill declares a single required environment variable (YOUR_TOKEN) and marks it as the primary credential. This is proportionate for an API-backed interactive experience. The manifest does not request broad or unrelated credentials.
- Persistence & Privilege
- okalways is false and the skill is user-invocable; autonomous invocation is allowed (the platform default) but the skill does not request elevated or system-wide privileges or attempt to modify other skills' configurations.