Back to skill
Skillv1.0.2
ClawScan security
MTV Rewind · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignMar 5, 2026, 7:10 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill is an instruction-only wrapper that simply directs users to an external player URL; its declared requirements and runtime instructions are consistent with that purpose, but you should vet the external site for privacy, copyright, and supply-chain concerns before use.
- Guidance
- This skill is essentially a shortcut that shares an external player link. Before installing, verify the ClawHub package identity (the SKILL.md's @Flexasaurusrex reference vs. registry owner mismatch), and manually inspect what the ClawHub install would download. Treat the external site (wantmymtv.xyz) as untrusted until vetted: it can track visitors, host copyrighted content, or change behavior later. If you need this for a corporate or privacy-sensitive environment, prefer self-hosted or vetted streaming sources and avoid installing packages from unknown publishers.
Review Dimensions
- Purpose & Capability
- okName/description match the SKILL.md: the skill's sole behavior is to offer a link/web_app button to https://wantmymtv.xyz/player.html and to present MTV-themed copy. It does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- noteInstructions stay narrowly scoped to returning the player URL or sending a Telegram web_app button. They do not instruct the agent to read files, environment variables, or system configuration. One minor inconsistency: SKILL.md suggests installing via `clawhub install @Flexasaurusrex/mtv-rewind`, but the registry metadata for this skill shows a different owner/slug — this is likely benign but worth verifying the package identity before installing.
- Install Mechanism
- okThere is no install spec in the package and no code files (instruction-only), so nothing is written to disk by the skill itself. The README-like instructions mention a ClawHub install command; that is an external distribution action the user should verify (who published the package and what it would actually install).
- Credentials
- okThe skill declares no required environment variables, credentials, or config paths and the instructions do not reference any secrets. This is proportionate to its simple purpose.
- Persistence & Privilege
- okalways is false and the skill is user-invocable only. It does not request permanent presence or elevated privileges and does not modify other skills' configs.