Back to skill
Skillv1.0.0
ClawScan security
Orthogonal API Platform - Access paid APIs using the SDK, Run API, or x402 direct payment. Search, discover, and integrate APIs with simple tool calls. · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
SuspiciousFeb 11, 2026, 9:29 AM
- Verdict
- suspicious
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's documentation matches an API discovery/run tool, but the package metadata omits the sensitive environment variables the instructions require (API key and optional blockchain private key), which is an incoherence that could lead to credential exposure or misuse.
- Guidance
- This skill appears to be a coherent API marketplace client, but the published metadata does NOT declare the environment variables the instructions require. Before enabling or using it: - Confirm required credentials: the SKILL.md requires ORTHOGONAL_API_KEY and (optionally) a PRIVATE_KEY for direct x402 payments. Ask the publisher to update the manifest to declare these explicitly. - Treat PRIVATE_KEY as highly sensitive: avoid storing long-term private keys in plaintext env vars on shared systems. Prefer ephemeral keys/accounts, restricted wallets with minimal funds, or using a signing service/connector rather than exporting raw private keys into the environment. - Verify the SDK/package: if you plan to npm install @orth/sdk or x402 client libs, verify the package name, author, and integrity (checksums, repository, and official docs) before installing. - Confirm billing implications: the run endpoint charges credits/USDC; make sure you understand pricing and limits and monitor for unexpected charges. - If you need least privilege: create a dedicated API key with limited scope and a separate low-value blockchain account for payments. If the publisher cannot justify the missing env declarations or cannot provide guidance for safe key handling, treat installation as higher risk and consider not enabling the skill.
Review Dimensions
- Purpose & Capability
- noteName/description and the runtime instructions are consistent: this is an API-discovery and call-integration helper for the Orthogonal platform. The APIs, endpoints, SDK usage, and payment modes in SKILL.md align with the described purpose.
- Instruction Scope
- concernSKILL.md instructs the agent/user to use ORTHOGONAL_API_KEY and optionally PRIVATE_KEY (for x402 direct payments). The declared registry metadata lists no required environment variables or credentials, creating a mismatch. The instructions also recommend installing @orth/sdk and using fetch-with-payment wrappers that require a raw private key in process.env — this is sensitive and not explicitly declared in the skill manifest.
- Install Mechanism
- okThis is an instruction-only skill with no install spec or code files in the bundle. That reduces on-disk risk. However the instructions advise npm install @orth/sdk or using x402 client libraries; installing these third-party packages carries normal supply-chain risk which the skill does not document or pin.
- Credentials
- concernThe skill's runtime instructions clearly require ORTHOGONAL_API_KEY and, for x402 payments, a PRIVATE_KEY environment variable — both are sensitive. The registry metadata, however, lists no required env vars or primary credential, so the manifest underreports the sensitive access the skill expects. Requesting a blockchain private key (even via env) is high sensitivity and should be explicitly declared and justified.
- Persistence & Privilege
- okThe skill is not always-enabled, is user-invocable, and allows normal model invocation (defaults). It does not request extra persistence or modify other skills' configuration in the provided materials.