Back to skill
Skillv1.0.6
ClawScan security
Built at GrowthX · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignFeb 26, 2026, 6:44 AM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's requirements and runtime instructions are coherent with its stated purpose (submitting a project to Built at GrowthX); it only asks for a GrowthX API key and to read standard project manifest/docs and run git/curl/jq to post the submission.
- Guidance
- This skill appears to do what it says: it will read your project's manifest files and README and run 'git remote -v', then POST the collected fields to https://backend.growthx.club using the GROWTHX_API_KEY you provide. Before installing/using: (1) verify you trust GrowthX and that backend.growthx.club is the intended endpoint; (2) inspect your repo for any sensitive data in the listed files (package.json, README, manifest files) because those can be read and included in the submission; (3) prefer setting GROWTHX_API_KEY as an environment variable rather than writing it into ~/.openclaw/openclaw.json if you want fewer persistent copies, and know where to revoke the key if needed; (4) confirm the final submission summary the agent shows before it makes the POST request. Overall the skill is internally consistent and proportional to its purpose.
Review Dimensions
- Purpose & Capability
- okName/description, required binaries (curl, jq, git), and required env var (GROWTHX_API_KEY) are appropriate for a project-submit skill that inspects local manifests and posts to GrowthX's API.
- Instruction Scope
- noteSKILL.md explicitly instructs the agent to read a limited set of project files (package.json, pyproject, Cargo.toml, go.mod, pubspec.yaml, README.md) and to run 'git remote -v' to infer a repository URL. This is expected for auto-filling submission fields, but it does mean the agent will read repository metadata and README content — review those files for secrets before submitting.
- Install Mechanism
- okNo install steps or external downloads; instruction-only skill (no code written to disk). Lowest-risk install profile.
- Credentials
- okOnly requests a single service credential (GROWTHX_API_KEY) which is the declared primary credential and matches the documented authentication header for the API. No unrelated secrets or config paths requested.
- Persistence & Privilege
- okalways is false and the skill does not request system-wide changes. It suggests storing the API key in OpenClaw config or as an environment variable (user choice). Default autonomous invocation is allowed (platform default) but the skill's flow requires user confirmation prior to final submission.