Back to skill
Skillv1.0.0
ClawScan security
Clarity Changes · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 25, 2026, 8:31 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, instructions, and optional CLARITY_API_KEY align with its stated purpose (pulling a changes feed and leaderboard from clarityprotocol.io); nothing requests unrelated secrets or performs unexpected actions.
- Guidance
- This skill appears coherent and limited to querying the Clarity Protocol API. Before installing: (1) confirm you trust clarityprotocol.io and the skill source; (2) if you provide CLARITY_API_KEY, keep it scoped and rotate it if shared; (3) review the included Python scripts (they only call the API and print results); (4) run in a restricted environment if you want to limit outbound network access. Autonomous invocation is allowed by default on the platform but does not add new risks here since the skill only makes API requests to the documented domain.
Review Dimensions
- Purpose & Capability
- okName/description match the included scripts and SKILL.md: the package fetches /changes and /agents/leaderboard from https://clarityprotocol.io. No unrelated services, binaries, or config paths are requested.
- Instruction Scope
- okSKILL.md instructs the agent to call the included Python scripts and to optionally set CLARITY_API_KEY for higher rate limits. The instructions only reference the clarityprotocol.io API and local parameters (since, type, format); they do not ask the agent to read arbitrary files or unrelated environment variables.
- Install Mechanism
- okNo install spec — instruction-only with bundled scripts. The code is plain Python (uses requests) and contains no downloads, obfuscated payloads, or non-standard install behavior.
- Credentials
- okNo required env vars; an optional CLARITY_API_KEY is documented and is used solely to populate an X-API-Key header. There are no requests for unrelated credentials or broad environment access.
- Persistence & Privilege
- okalways is false and the skill does not modify other skills or system configuration. It only performs outbound API calls at runtime; there is no requested permanent presence beyond normal skill execution.