Skillv0.0.2

ClawScan security

CatalystWatch · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

SuspiciousFeb 22, 2026, 9:16 AM

Verdict: suspicious
Confidence: medium
Model: gpt-5-mini
Summary: The skill's requested credential (one API key) and described functionality line up, but provenance is unclear and the runtime instructions are high-level and omit details (e.g., where requests go and what permissions the API key needs).
Guidance: This skill appears to do what it says and only asks for one API key, but there are some checks you should do before installing: - Verify the provider: ask for the service homepage, API docs, and privacy/TOS to confirm where requests go and how data is handled. - Limit the API key: create a scoped key with the minimum permissions and avoid reusing keys from other services (do not supply brokerage or cloud credentials). - Confirm the optional env var: ensure CATALYSTWATCH_WATCHLIST (if used) won’t cause the agent to send sensitive internal watchlists unless you intend that. - Test safely: try with a read-only or rate-limited test key and monitor outgoing network requests to see endpoints and data payloads. - If you need stronger assurance, prefer skills with published source/homepage and verifiable ownership.

Review Dimensions

Purpose & Capability: noteThe skill claims to monitor market catalysts and only requires a single CATALYSTWATCH_API_KEY, which is proportionate to that purpose. However, the package has no homepage or source information and an unknown owner ID, making provenance and trustworthiness unclear.
Instruction Scope: noteSKILL.md is instruction-only and stays within the expected scope (querying an external catalyst service using an API key). It is high-level and does not instruct the agent to read local files or other credentials. The instructions are vague about endpoints, alerting mechanisms, and what exact data is sent, which grants the agent broad discretion at runtime.
Install Mechanism: okNo install spec and no code files — lowest-risk delivery method. Nothing is written to disk by the skill itself. The remaining risk comes from network calls to an external API (expected for this type of skill).
Credentials: noteDeclared requirement is a single API key (CATALYSTWATCH_API_KEY), which is appropriate. SKILL.md also mentions an optional CATALYSTWATCH_WATCHLIST env var but that optional var is not listed in the declared requires.env metadata — a minor inconsistency. The skill does not declare what permissions or scopes the API key should have, so you cannot verify least-privilege.
Persistence & Privilege: okalways is false, there is no install or config path access, and the skill does not request system-level persistence. Autonomous invocation by the agent is enabled (default) — expected behavior for skills.