Security audit
Clawhand Agent Tools
Security checks across malware telemetry and agentic risk
Overview
The skill is coherent with its stated purpose (posting/managing paid jobs on Clawhand) and only asks for a Clawhand API key to call Clawhand REST endpoints; nothing appears disproportionate or unrelated.
This plugin is internally consistent with its purpose: it will use a Clawhand API key to call clawhand.net endpoints to create/manage paid jobs and to move USDC escrow. Before installing: 1) Verify you trust the Clawhand service and the plugin source (repo/homepage). 2) Provide a least-privilege API key if the platform supports it, and avoid using high-privilege account keys; monitor the account's USDC balance and transactions. 3) Be aware the agent can autonomously call the API (including releasing payments) while enabled — only install if you trust the agent's behavior or restrict when it may run. 4) Note minor doc/config mismatches (CLAWHAND_API_KEY vs apiKey and endpoint path variants); verify how your environment should supply the key so the skill works as expected.
VirusTotal
No VirusTotal findings
Static analysis
No suspicious patterns detected.
