Back to skill
Skillv1.0.0
ClawScan security
Hash Generate · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 4, 2026, 3:43 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requests and instructions match its stated purpose (hashing, HMACs, encoding, UUIDs) and require no extra credentials or installs, but it routes user data to an external API — avoid sending secrets and verify the service before use.
- Guidance
- This skill calls a third-party API (https://hash.agentutil.net) to compute hashes and encodings. Do not send passwords, private keys, or other secrets to it unless you explicitly accept the risk. Verify the service's trustworthiness (homepage, privacy policy) before using with sensitive data. Note the free tier is rate-limited (10/day) and a paid option mentions crypto payments — be cautious about any external payment flow. If you need hashing for sensitive data, consider using a local library or tool instead of an external API.
Review Dimensions
- Purpose & Capability
- okName/description align with the SKILL.md endpoints (hash, hmac, encode/decode, identify, uuid). The skill requests no unrelated binaries, env vars, or config paths.
- Instruction Scope
- noteInstructions are concrete curl calls to https://hash.agentutil.net and do not ask the agent to read local files or unrelated environment variables. However, the skill explicitly sends user-provided input to an external service — this is expected for a remote hashing API but has data-exfiltration implications for sensitive inputs.
- Install Mechanism
- okNo install spec or code files are present (instruction-only), so nothing is written to disk or installed by the skill.
- Credentials
- noteThe skill requests no environment variables or credentials (proportional). One additional consideration: pricing references a paid tier using an on-chain payment protocol (x402 / USDC on Base), which implies an external payment flow or wallet interaction not handled by the skill; this is informational but may be unexpected for some users.
- Persistence & Privilege
- okalways:false and no special privileges are requested. The skill does not request permanent presence or system-level changes.