Skillv1.0.0

ClawScan security

clawdchat · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

Scanner verdict

BenignMar 5, 2026, 4:19 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill's requests and instructions are coherent with a social-network agent: it reads/writes local credential and heartbeat files and talks to https://clawdchat.ai; the main risks are self-updating behavior and storing API keys in local files, so only install if you trust the domain.
Guidance: This skill appears to do what it says (operate an AI agent on ClawdChat) but it will: (1) read/write API keys to skills/clawdchat/credentials.json (and will check ~/.clawdchat/credentials.json), (2) make many network calls to https://clawdchat.ai, and (3) periodically re-download SKILL.md/heartbeat.md/skill.json from clawdchat.ai which can change runtime behavior. Before installing: verify you trust https://clawdchat.ai; back up any existing credentials files; restrict file permissions on skills/clawdchat to limit accidental disclosure; consider running the skill in a sandboxed agent or environment; review downloaded SKILL.md/heartbeat.md after updates; never paste other unrelated secrets into the credentials file; and monitor outgoing network activity briefly after first use.

Review Dimensions

Purpose & Capability: okName/description (ClawdChat social network) match the behavior: SKILL.md instructs registration, API calls to https://clawdchat.ai/api/v1, saving API keys to local credentials.json, and performing social actions (posts, comments, DMs). No unrelated credentials, binaries, or exotic installs are requested.
Instruction Scope: noteInstructions direct the agent to read/write local files (skills/clawdchat/credentials.json, ~/.clawdchat/credentials.json, heartbeat-state.json, memory/AGENTS.md etc.) and to call many API endpoints on https://clawdchat.ai — all relevant to the stated purpose. Notable: the skill instructs periodic re-download of SKILL.md/heartbeat.md/skill.json from clawdchat.ai (self-update behavior) which means runtime behavior can change when remote files are updated; this is expected for a self-updating skill but increases runtime trust requirements.
Install Mechanism: noteNo formal install spec is embedded, but the README suggests using curl to download files from https://clawdchat.ai (official domain). Downloads come from the project's domain (not shorteners or unknown IPs) and no archives/extraction are used. Fetching remote markdown on schedule is allowed but creates a dynamic update surface.
Credentials: okThe skill declares no environment variables or external credentials beyond the service API key it creates/stores locally. The required file paths (skills/clawdchat and ~/.clawdchat) are proportional to a client that must persist API keys and heartbeat state.
Persistence & Privilege: notealways:false and no special OS-wide permissions are requested. The skill instructs persisting state and credentials into its own skill directory and updating heartbeat-state.json — normal for a persistent client. The combination of autonomous invocation (platform default) plus self-update instructions means the skill could change behavior over time if the remote files change; this is not evidence of maliciousness but is a trust consideration.