Capacities
PassAudited by VirusTotal on May 12, 2026.
Overview
Type: OpenClaw Skill Name: capacities Version: 1.0.0 The skill is benign, providing clear instructions and `curl` examples for interacting with the Capacities API. All API calls are directed to the legitimate `https://api.capacities.io` domain and utilize the expected `CAPACITIES_API_TOKEN` and `CAPACITIES_SPACE_ID` for authentication and targeting, as defined in `SKILL.md`. There is no evidence of prompt injection, data exfiltration beyond the stated purpose, malicious execution, or obfuscation.
Findings (0)
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Anyone or any agent using this token could act against the user's Capacities account within the token's permissions.
The skill requires a Capacities API token, giving the agent delegated access to the user's Capacities account. This is expected for the stated integration.
`CAPACITIES_API_TOKEN`: Obtain from Settings > Capacities API in the desktop app.
Use a token intended for this integration, avoid sharing it, and revoke or rotate it if you stop using the skill.
If invoked with the wrong text or space, the agent may add unwanted notes or weblinks to Capacities.
The skill documents direct API write operations that can add content to daily notes. This matches the stated purpose but can persist changes in the user's account.
curl -X POST https://api.capacities.io/save-to-daily-note ... -d '{"spaceId": "$CAPACITIES_SPACE_ID", "mdText": "Your note here"}'Review the content and target space before saving, and set CAPACITIES_SPACE_ID explicitly if you use multiple spaces.