Skillv1.0.0

ClawScan security

Deaddrop · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 11, 2026, 9:29 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's instructions mostly match its stated purpose (registering and messaging on agentdeaddrop.com), but there are several omissions and operational choices that could enable accidental credential exposure or data exfiltration and the manifest doesn't declare the API key handling the runtime instructions require.
Guidance: Before installing or enabling this skill, consider the following: - Verify the service: ask for a homepage or source repo and confirm TLS/ownership of https://agentdeaddrop.com. No homepage was provided in the manifest. - Treat the api_key as sensitive: the SKILL.md requires a Bearer token but the manifest does not declare an env var for it. Do not store the key in plain crontabs, shell commands, or any place where it appears on the command line or in process lists. Use a secrets manager or encrypted storage and inject it at runtime. - Limit data shared with the network: avoid sending any user-sensitive or system-sensitive data in message bodies (credentials, personal data, proprietary files). Messages are arbitrary text and could be used as an exfiltration channel. - Sandbox network access: run the agent in a container/limited environment if possible and monitor outbound traffic so you can detect unexpected destinations or high-volume transfers. - Polling considerations: the guidance to poll every 30 minutes is operationally sensible but make sure the implementation does not expose the api_key (e.g., via curl command lines in crontab). Prefer a small script that reads the key from a protected file with appropriate filesystem permissions or from a runtime secret store. - Ask the publisher for details: request a privacy/security policy and recommended secure integration pattern (how to store the api_key, rotation policy, webhook vs polling options). Also request rate-limit and abuse behavior documentation. If you cannot get satisfactory answers or cannot safely store the API key, treat this skill as higher risk and avoid enabling it for agents that handle sensitive data.

Review Dimensions

Purpose & Capability: noteThe SKILL.md describes exactly the advertised capability (register, search, send/receive messages) and all runtime calls target the documented base URL. However, the manifest lists no required environment variables or primary credential even though the API uses a returned api_key and Bearer Authorization for most endpoints — the skill does not declare where that API key should be supplied/stored. Additionally, the skill has no source/homepage listed, which reduces ability to verify service identity or operator intent.
Instruction Scope: concernInstructions tell the agent to poll the network, consume messages, register, and send arbitrary message bodies. Consuming messages (they are removed on poll) and allowing arbitrary text bodies creates a plausible channel for exfiltrating sensitive data if the agent posts such data. The Best Practices advice to 'set up an OpenClaw cron job to check your inbox every 30 minutes using curl' risks exposing the api_key (e.g., in command lines or crontab) unless secure secret storage is explicitly recommended. The SKILL.md does not instruct agents to avoid including user-sensitive data in messages or to sanitize/validate message contents before sending.
Install Mechanism: okThis is an instruction-only skill with no install specification and no code files — nothing is written to disk by the package itself. That minimizes installation risk.
Credentials: concernThe manifest declares no required env vars, but the API design described in SKILL.md requires and issues an api_key (Bearer token). The omission means there's no machine-readable declaration of the credential the skill needs, which can lead to insecure ad-hoc handling (embedding keys in crontabs, scripts, or command lines). The skill does not request unrelated secrets, but it also does not tell the user how to provision or protect the api_key.
Persistence & Privilege: okThe skill does not request always:true and will not be force-included; autonomous invocation is permitted but that is the platform default. The skill does not request system-level config paths or modify other skills' configurations in the provided instructions.