Skillv1.2.3

ClawScan security

FeedOracle Compliance Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 14, 2026, 12:21 PM

Verdict: benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's declared purpose, required resources, and runtime instructions are internally consistent — it is an instruction-only connector to feedoracle.io that needs only curl and (optionally) an API key; there are a few minor documentation inconsistencies and normal privacy considerations to note.
Guidance: This skill appears to do what it says: it calls feedoracle.io endpoints and returns signed evidence. Before installing, confirm you are comfortable with queries being sent to an external service (feedoracle.io). Do not include PII or sensitive conversation history in user questions, agent registration, or audit entries — the skill documents that such data should not be sent but will accept whatever the agent/user supplies. If you require strict prevention of autonomous calls, either change platform settings to disable model invocation for this skill or verify that your agent honors the SKILL.md 'user-request-only' policy. Optionally verify the service's JWKS URL and trust policy (links in README) before relying on cryptographic evidence. Minor notes: docs include a small version mismatch (SKILL.md v1.2.2 vs registry v1.2.3) and README references an npx install path despite there being no install spec here — these are documentation inconsistencies worth confirming with the publisher but do not indicate malicious behavior.

Review Dimensions

Purpose & Capability: okName/description match the runtime behavior: it queries feedoracle.io MCP endpoints for MiCA/stablecoin evidence. Declared required binary (curl) and optional FEEDORACLE_API_KEY align with the described API-based workflow. No unrelated credentials, binaries, or config paths are requested.
Instruction Scope: noteSKILL.md clearly restricts what is sent: read-only tools send only a token symbol, ai_query sends only the explicit question text, and user-initiated tools (kya_register, audit_log) send agent metadata or decision text. This scope is appropriate for the stated purpose. Caveat: because this is instruction-only, accidental inclusion of PII or conversation context in user-supplied questions or decision text remains possible — the skill relies on the agent (and user) to follow the guidance.
Install Mechanism: okNo install spec or downloaded code — instruction-only skill. This is the lowest-risk install posture; nothing is written to disk by the skill package itself.
Credentials: okNo required environment variables are declared. An optional FEEDORACLE_API_KEY is documented for higher rate limits, which is proportionate to the advertised tiers. There are no unexplained SECRET/TOKEN requirements.
Persistence & Privilege: noteSkill metadata uses default platform settings (user-invocable true, disable-model-invocation false) which permit autonomous invocation, but the SKILL.md repeatedly instructs the agent not to auto-invoke and to call the tool only on explicit user requests. This is a minor inconsistency between runtime guidance and platform invocation defaults — not itself malicious, but worth confirming with host policy or turning off autonomous invocation if you require enforced user-only calls.