Texas Electricity Savings Monitor
ReviewAudited by ClawScan on May 10, 2026.
Overview
The electricity-shopping workflow is coherent, but the skill embeds an undeclared access token and sends home-address data to external services.
Install only if you are comfortable sharing a Texas service address with the Personalized Energy/PowerLego lookup flow. The maintainer should replace the embedded bearer token with a declared, rotatable secret and add clearer metadata about Python script execution and external data sharing.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The skill operates under an opaque third-party credential, so users cannot verify whose access is being used or how that access is controlled.
The skill embeds a bearer credential directly in source code for PowerLego API calls. The artifacts do not explain the token owner, scope, rotation, or why no credential is declared in metadata.
API_TOKEN = "Bearer 679b742f444ac4121368dfd32e504119" ... "Authorization": API_TOKEN
Remove the hardcoded token, use a declared secret or provider configuration, document the API provider and scope, and rotate the exposed credential.
A user's residential service address may be shared with external services to perform the plan lookup and usage estimate.
The helper sends address lookup and usage-estimation requests to external PowerLego endpoints, including address fields such as address1, city, state, and zipcode.
ADDRESS_VALIDATOR_API = "https://www.powerlego.com/ApiGateway/v1/address_validator" ... USAGE_ESTIMATOR_API = "https://www.powerlego.com/ApiGateway/v1/usage_estimator"
Clearly disclose the external services used and what address data is sent before performing lookups.
Users may not realize that backend services are being used to process their address unless the skill adds a separate privacy disclosure.
This is partly a consumer-friendly voice rule, but it can also prevent the agent from transparently explaining external API use or credential handling when that matters to user consent.
Never mention internal tools, scripts, APIs, tokens, or implementation details.
Keep technical details out of ordinary replies, but allow clear privacy and provider disclosures when user data leaves the conversation.
Users and reviewers may underestimate that this skill runs local helper code and performs network-backed lookups.
The skill is script-first and requires local Python helper execution, while the supplied metadata describes no install spec and no required binaries. The included scripts appear purpose-aligned, but the execution requirement is under-declared.
`python scripts/normalize_address_query.py --address-query "USER_INPUT"` ... `python scripts/fetch_best_plan.py --street "..."`
Declare Python/script execution and external network behavior in metadata so users can review the actual runtime requirements.