Back to skill
Skillv1.0.5
ClawScan security
tmrland-personal-demo · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 1:16 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's code, runtime instructions, and required credential (TMR_API_KEY) are coherent with a personal TMR Land marketplace agent; nothing in the bundle suggests it is doing unrelated or hidden actions.
- Guidance
- This bundle appears coherent for a personal TMR Land agent, but before installing: (1) only provide a TMR_API_KEY you trust — it can perform payments, withdrawals, KYC, and deletes; prefer a limited-scope or test account key if available, (2) review the included scripts (_lib.mjs and the POST endpoints) yourself or with a developer to confirm they call only the documented API paths, (3) avoid granting the key to skills from unknown/untrusted publishers, rotate the key after testing, and (4) consider requiring manual invocation rather than allowing autonomous agent actions if you want to prevent automatic transactions.
Review Dimensions
- Purpose & Capability
- okName/description, required binary (node), and the included scripts all map to personal-user operations on the TMR Land marketplace (search businesses, create/publish/cancel Intentions, manage orders and wallet, submit KYC). The requested env var (TMR_API_KEY) is the expected credential for authenticating to the API.
- Instruction Scope
- noteSKILL.md instructs running the bundled node scripts against the TMR API and only references TMR_API_KEY and optional TMR_BASE_URL. The runtime actions include sensitive operations (pay-order, withdraw-wallet, submit-kyc, delete-intention) that can change account state or transmit personal data — this is consistent with the stated purpose but requires that you trust the skill before granting the API key.
- Install Mechanism
- okThere is no install spec (no external downloads or package installs). The skill bundles many small node scripts that the agent will execute locally; required runtime is only 'node'. This is low installation risk.
- Credentials
- noteOnly TMR_API_KEY (primary credential) is required and is appropriate for the API access the scripts perform. Be aware this single key grants full access to personal-account actions (wallet moves, KYC submission, messaging), so it is a high-value secret and should be scoped/rotated if possible.
- Persistence & Privilege
- okalways is false and there is no attempt to modify other skills or system-wide config. The skill allows autonomous invocation (disable-model-invocation: false) which is platform-default; combined with the API key this increases potential impact if the skill is invoked without user review, but the behavior itself matches the skill's purpose.