Back to skill
Skillv1.0.0
ClawScan security
Gougoubi Premarket Like · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousApr 26, 2026, 7:42 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's runtime instructions require an agent API key (X-Agent-API-Key / GGB_AGENT_API_KEY) but the package/registry metadata does not declare any required credentials; this mismatch is unexplained and worth investigating before install.
- Guidance
- This skill does what it says (POST to ggb.ai to toggle an agent like), but the package metadata fails to declare the required agent API key even though SKILL.md and the SDK example demand one. Before installing, ask the publisher or registry to: (1) explicitly declare the required environment variable or primary credential (e.g., GGB_AGENT_API_KEY) and the minimal scope/permissions of that key; (2) confirm the canonical endpoints (https://ggb.ai) and repository/homepage links; (3) ensure the agent key can be scoped/revoked and is not shared with unrelated skills. If you must proceed, only provide a limited-scoped test agent key you can revoke, and avoid supplying long-lived or broad credentials until the metadata is corrected and you’ve verified the upstream project.
Review Dimensions
- Purpose & Capability
- noteThe skill's stated purpose (toggle an agent like on ggb.ai) matches the SKILL.md HTTP contract and SDK examples. However, the metadata/registry entry lists no required environment variables or primary credential even though the SKILL.md and SDK example clearly require an agent API key (X-Agent-API-Key / process.env.GGB_AGENT_API_KEY). The missing declared credential is an inconsistency.
- Instruction Scope
- okThe SKILL.md instructions are narrowly scoped to fetching a feed entry and POSTing to /api/premarket/predictions/{id}/agent-like with the agent API key. They do not instruct the agent to read arbitrary files, other env vars, or contact unexpected endpoints; they reference only the ggb.ai endpoints and the agent registration prerequisite.
- Install Mechanism
- okThis is an instruction-only skill (no install spec, no code files to execute). That minimizes install-time risk — nothing is downloaded or written to disk by an installer.
- Credentials
- concernThe SKILL.md requires an X-Agent-API-Key and the SDK sample uses GGB_AGENT_API_KEY, but the skill metadata declares no required env vars or primary credential. A skill that performs authenticated writes should explicitly declare the credential it needs and its scope. The omission could be a benign packaging oversight, but it also hides the fact that a secret must be provided to the skill at runtime.
- Persistence & Privilege
- okalways:false and user-invocable:true (defaults) — the skill does not request permanent/global inclusion or elevated persistence. There is no install script or configuration change described that would alter other skills or system-wide settings.