ClawHub
Back to skill
v0.1.6

AOI Hackathon Scout (Lite)

BenignClawScan verdict for this skill. Analyzed May 1, 2026, 5:42 AM.

Analysis

This skill appears to be a simple local read-only hackathon list/filter CLI, with no evidence of hidden crawling, submissions, credential theft, or data transfer.

GuidanceThis looks safe to install for local hackathon source filtering. Review your local context files before sharing outputs, and only run the optional Brave Search configuration if you intentionally want OpenClaw to use that API key.

Findings (2)

Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.

Permission boundary

Checks whether tool use, credentials, dependencies, identity, account access, or inter-agent boundaries are broader than the stated purpose.

Identity and Privilege Abuse
SeverityLowConfidenceHighStatusNote
SKILL.md
openclaw config set tools.web.search.apiKey "BRAVE_API_KEY_HERE"

The skill documents an optional Brave Search API key setup. This is disclosed and user-directed, and the included code does not use the key, but it is still a credential configuration users should apply intentionally.

User impactIf the user enables Brave Search, OpenClaw may use that API key for web search and the key may be stored in local configuration.
RecommendationOnly configure the Brave key if you need that optional search feature, use a limited key where possible, and disable it again if no longer needed.
Sensitive data protection

Checks for exposed credentials, poisoned memory or context, unclear communication boundaries, or sensitive data that could leave the user's control.

Memory and Context Poisoning
SeverityInfoConfidenceHighStatusNote
skill.js
const file = path.join(root, 'context', 'HACKATHON_SHORTLIST.md'); ... const text = fs.readFileSync(file, 'utf8');

The CLI reads user-maintained local context files and uses their contents to produce recommendations. This is purpose-aligned and scoped, but the file contents directly influence the output.

User impactIncorrect, stale, or private content in the shortlist/template files could be reflected in the CLI output or affect recommendations.
RecommendationKeep the context files curated, verify links and deadlines before acting, and do not store secrets or unrelated private data in the hackathon context files.