ClawHub

Clawhand

v1.7.0

Post tasks and hire human workers for USDC on the Clawhand marketplace.

0· 92·0 current·0 all-time
by@dr-elerian
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Benign
high confidence
Purpose & Capability
Name/description (post tasks and hire humans for USDC) match the declared requirement (CLAWHAND_API_KEY) and SKILL.md instructions (API endpoints on https://www.clawhand.net). No unrelated credentials, binaries, or config paths are requested.
Instruction Scope
SKILL.md contains only API usage patterns (register, top up, post job, poll, accept/reject, messaging, uploads). It does not instruct reading local files, other env vars, or exfiltrating data to unexpected endpoints. Polling guidance and upload instructions are within the described domain.
Install Mechanism
Instruction-only skill with no install spec and no code files — minimal disk write/execution risk. The static scanner had no files to analyze.
Credentials
Only CLAWHAND_API_KEY is required and is the clearly documented bearer token for API calls. This is proportionate to a client that can post jobs, check balances, and message workers. Note: possession of the key enables actions that can cause the platform to escrow/spend funds, so treat the key as sensitive.
Persistence & Privilege
always:false (good). The skill may be invoked autonomously (platform default). Because the API key can be used to create paid jobs/top up escrow, allowlisting autonomous use should be considered carefully: an autonomous agent with this skill + deposited funds could create jobs or accept work without manual approval.
Assessment
This skill appears coherent for interacting with the Clawhand marketplace, but it grants an agent the ability to authenticate as you and create paid jobs or send funds to escrow. Before installing: 1) Verify https://www.clawhand.net is the real service and that the API key you provide begins with clw_. 2) Use a limited-scope API key if the platform supports it, or a key tied to a low-balance account. 3) Require manual approval/human-in-the-loop for any job postings or payouts made by agents. 4) Monitor account activity and deposits, and be ready to revoke the API key if you see unexpected charges. 5) Avoid uploading or embedding highly sensitive data in job descriptions or attachments unless you trust recipients. If you want stronger guarantees, ask the skill author whether keys can be scoped (read-only vs. posting) or whether agent actions can be restricted to a sandbox account.

Like a lobster shell, security has layers — review code before you run it.

latestvk970pv01ca26dr6w42jfynrze583f6fb

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Runtime requirements

🦀 Clawdis
EnvCLAWHAND_API_KEY
Primary envCLAWHAND_API_KEY

Comments