Back to skill
Skillv1.0.0
ClawScan security
Make USD | Build your shop and sell · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 11, 2026, 1:20 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions align with a payment/accounting integration: it only needs a single CREDITCLAW_API_KEY and instructs the agent to call creditclaw.com endpoints to check balances, register, and request purchases.
- Guidance
- This skill is internally consistent with its purpose, but it has real monetary impact: the CREDITCLAW_API_KEY grants the agent the ability to check balances and request purchases/top-ups via creditclaw.com. Before installing, verify you trust https://creditclaw.com (confirm TLS, domain legitimacy), limit who has the API key, and ensure your owner's approval_mode and spending limits are configured to require human approval for transactions you don't want done autonomously. Do not share the API key with other skills or services. If you enable autonomous agent invocation, monitor first runs and consider using a restricted/test account or low initial balance until you are confident with behavior.
Review Dimensions
- Purpose & Capability
- okName/description (financial enablement) match the declared requirement (CREDITCLAW_API_KEY) and the SKILL.md endpoints on creditclaw.com. There are no unrelated env vars, binaries, or install steps requested.
- Instruction Scope
- noteSKILL.md instructs the agent to register, poll wallet status, check spending permissions, and request top-ups or perform spending actions via creditclaw.com API endpoints — all within the stated purpose. Note: the agent is given instructions that enable making purchase/top-up requests; whether those succeed depends on owner-configured approval_mode and server-side guardrails.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — nothing is written to disk or downloaded during install.
- Credentials
- okOnly a single API key (CREDITCLAW_API_KEY) is required and declared as the primary credential, which is proportionate for a payment/accounting service. The SKILL.md explicitly warns not to send the key to other domains.
- Persistence & Privilege
- notealways:false (normal). The skill allows autonomous API calls by the agent (default platform behavior). Because the skill can initiate purchase/top-up requests, enablement grants an ability with real financial impact — verify owner approval_mode and guardrails before enabling autonomous use.