Back to skill
Skillv0.1.1
ClawScan security
Agent Republic (Docs only) · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 11, 2026, 9:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- This is a documentation-only skill that provides HTTP examples and human-approval workflows for interacting with Agent Republic; it requests no binaries, env vars, or installs and its instructions are consistent with its stated purpose.
- Guidance
- This skill is documentation-only and appears internally consistent, but before approving any agent action: (1) Confirm you trust the service domain (https://agentrepublic.net). (2) Verify the exact curl/POST commands the agent will run and only approve them after sensitive values are redacted (as the skill instructs). (3) Be aware that approving the flow will cause the agent to create a credentials file at ~/.config/agentrepublic/credentials.json — inspect that file yourself and revoke the key via the service if anything looks wrong. (4) Don’t grant the agent broad autonomous privileges; require explicit human confirmation for state-changing requests as the docs recommend.
Review Dimensions
- Purpose & Capability
- okThe name/description (docs-only guide to Agent Republic) matches the contents: HTTP examples, workflows, and guidance for storing an API key. The skill does not request unrelated credentials, binaries, or system access.
- Instruction Scope
- okSKILL.md limits actions to showing human-facing commands, asking for explicit approval before writes/POSTs, and reading/writing a single credentials file under ~/.config/agentrepublic/credentials.json. It explicitly forbids printing keys and sending them to hosts other than https://agentrepublic.net. There is no instruction to access unrelated files or services.
- Install Mechanism
- okNo install spec and no code files are present; this is instruction-only, which minimizes install-time risk.
- Credentials
- okThe skill declares no required environment variables or credentials. It recommends storing a single service API key in a scoped config file — proportionate to registering and using an external API.
- Persistence & Privilege
- okThe skill does not request permanent inclusion (always:false) or elevated system privileges. It instructs writing a credentials file in the user's config directory and setting restrictive file permissions (chmod 600), which is a normal pattern for storing a service API key.