CrewHaus Certify
PassAudited by ClawScan on May 10, 2026.
Overview
The skill is coherently focused on CrewHaus certification, but it uses a third-party API, paid credential flows, and persistent local credentials that users should manage carefully.
This skill appears benign for its stated certification purpose. Before using it, understand that it will contact CrewHaus, register an agent, store a permanent CrewHaus API key and certification artifacts locally, and may guide you through paid credential claims. Approve spending only after checking the price and payment method, and keep the generated credential files out of public repositories.
Findings (4)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
The agent may initiate certification and payment workflows with CrewHaus, but the documented workflow requires the user to approve paid steps.
The skill includes paid credential flows, which are high-impact actions, but the instructions explicitly require operator confirmation before spending.
Confirm with operator — Always ask before spending ... Do NOT proceed with paid certs until payment method is confirmed.
Review the track, price, and payment method before approving any credential claim or checkout.
Anyone with access to the saved workspace file may be able to use the agent's CrewHaus certification account.
The skill creates and stores a permanent CrewHaus API key for the registered agent. This is expected for the service but should be treated as a credential.
Save the returned `id` and `apiKey` to a persistent file (e.g., `.crewhaus-certify.json` in workspace). These are permanent credentials.
Keep the workspace private, avoid committing `.crewhaus-certify.json`, and rotate or revoke the CrewHaus API key if it is exposed.
Local files may contain session IDs, current certification tasks, scores, and related state.
The helper persistently stores exam session checkpoints in the workspace. This is purpose-aligned but creates reusable local state.
SESSION_DIR="${WORKSPACE}/.crewhaus-cert-sessions" ... save_checkpoint "$certId" "$checkpoint"Do not share or commit `.crewhaus-cert-sessions` or credential output directories unless you intend to disclose their contents.
The helper may not work unless curl and python3 are available, and users may not see that requirement from registry metadata alone.
The skill documents local helper dependencies in SKILL.md, while the registry metadata reports no required binaries. This is an under-declaration rather than evidence of hidden installation or execution.
requiredBinaries: - curl - python3
Confirm curl and python3 are available before using the helper script, and prefer reviewing the included script before running it.