Joke Api
Security checks across static analysis, malware telemetry, and agentic risk
Overview
This skill appears to do what it claims: fetch jokes from the public JokeAPI, with no evidence of credential use, persistence, data theft, or destructive behavior.
This looks safe for its stated purpose. Before installing, remember that it contacts the public JokeAPI service and may return offensive jokes unless safe-mode or blacklist filters are used. Because the source is unknown, inspect the included scripts if you are cautious, but the provided artifacts do not show malicious behavior.
Static analysis
No static analysis findings were reported for this release.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
Search keywords or selected joke filters may be transmitted to JokeAPI, and returned joke text may include offensive content unless filtering is used.
The helper performs outbound requests to the public JokeAPI. This is expected for the skill, but user-supplied search terms and filter choices are sent to that external service.
BASE_URL = "https://v2.jokeapi.dev" ... urllib.request.urlopen(req, timeout=10)
Avoid putting sensitive information in joke search terms, and use safe-mode or blacklist filters when jokes may be shown in professional or public contexts.
Users may need to inspect the included scripts themselves and ensure the expected local tools are available.
The package has limited provenance metadata and does not declare runtime tools, while the included scripts use local bash, curl, and python3 helpers. The scripts are visible and purpose-aligned, so this is a notice rather than a concern.
Source: unknown; Homepage: none; Required binaries (all must exist): none
Review the small included scripts before use and prefer installing from a known or verified source when possible.