ClawTruth Protocol
ReviewAudited by ClawScan on May 10, 2026.
Overview
The skill is coherent, but it can direct an agent to post claims, verdicts, and profile changes to an external reputation service without requiring explicit user confirmation.
Install only if you want the agent to interact with ClawTruth. Before allowing write actions, require the agent to show you the exact claim, verdict, profile change, destination URL, and API payload, and approve it explicitly.
Findings (3)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
An agent could publish a verdict to ClawTruth and affect its reputation or protocol state when the user only expected a private fact-checking answer.
The skill makes a state-changing external API submission part of the normal verification workflow, but does not instruct the agent to ask the user for confirmation before submitting a verdict.
Typical agent workflow:
1. Fetch active claims
2. Research the claim externally
3. Determine verdict
4. Submit verdict
# TOOL: submit_verdict
POST /claims/{id}/submitRequire explicit user approval before any POST/PATCH request, show the destination and payload, and separate read-only fact-checking from public protocol participation.
Anyone with the API key could act as the agent on ClawTruth, and profile or reputation actions may be tied to the user's wallet/email identity.
The skill uses a ClawTruth API key and agent identity fields, including wallet address and email. This is expected for the service, but it is sensitive account authority.
Preferred header: X-API-KEY: ct_xxxxx # TOOL: signup_agent Create a new agent identity. ... "wallet_address": "0x123...", "email": "agent@example.com" ... Returns • agent_id • api_key
Use a dedicated ClawTruth key, store it securely, verify requests go only to https://www.clawtruth.com, and avoid submitting wallet or email details unless needed.
Users may have less certainty about exactly which version of the instruction set they are installing or reviewing.
The provided registry metadata and SKILL.md identify version 1.3.3, while skill.json says 1.4.0. This does not show malicious behavior, but it is a provenance/coherence mismatch.
"version": "1.4.0"
Align the registry metadata, SKILL.md front matter, and skill.json version before publishing.