Back to skill
Skillv1.0.0
ClawScan security
Hatcher Host AI Agents Deployment · ClawHub's context-aware review of the artifact, metadata, and declared behavior.
Scanner verdict
BenignApr 18, 2026, 7:42 PM
- Verdict
- benign
- Confidence
- high
- Model
- gpt-5-mini
- Summary
- The skill's instructions and files match its stated purpose (deploying and controlling agents on hatcher.host); it is instruction-only (no install), but it will create and store API keys and integration tokens at runtime so users should be deliberate about what credentials they provide.
- Guidance
- This skill appears to be what it says: documentation and curl recipes to register at hatcher.host, create an API key (HATCHER_KEY), and manage hosted agents and integrations. Before installing or running it: 1) Verify you trust hatcher.host (homepage and contact info) before creating accounts or sharing tokens. 2) Do not copy the example literal password; choose a unique strong password. 3) Understand that the flow creates/stores an API key (HATCHER_KEY) and may ask you to provide third-party integration tokens (Telegram, Discord, Slack, Twitter, WhatsApp) or LLM BYOK keys — those are sensitive; only provide tokens you are willing to have used by the agent and stored encrypted by the platform. 4) Limit account funds/credits and prefer minimal-scope keys; revoke or rotate the API key if you stop using the skill. 5) If you want the agent to not act autonomously with your HATCHER_KEY (e.g., avoid accidental purchases or always-on agents), do not grant it payment credentials or give it long-lived credits without supervision. The skill metadata should have declared required env vars (it does not) — that's a minor inconsistency but not a functional issue.
Review Dimensions
- Purpose & Capability
- okName/description (deploy/control agents on Hatcher) align with the runtime instructions and satellite files: register an account, create an API key (HATCHER_KEY), create/start/stop agents, configure integrations and payments. There are no unrelated credential or binary requests in the metadata or files.
- Instruction Scope
- noteSKILL.md explicitly directs the agent to register a user account (needs the human's email and one-time verification click), create an API key, store the JWT/HATCHER_KEY, and manage agents and integrations. All of this is in-scope for a hosting/deployment skill. Note: the examples include a literal example password and instruct storing keys in env/config — users should not reuse example secrets and should understand the agent will handle their credentials.
- Install Mechanism
- okInstruction-only skill with no install spec and no code files — lowest disk/execution risk. The repository-like satellite markdowns are fetched as documentation only.
- Credentials
- noteRegistry metadata lists no required env vars, but the instructions require creating and storing a HATCHER_KEY (API key) and temporarily using a JWT. The skill may also instruct storing third-party integration tokens (Telegram, Discord, Slack, Twitter, WhatsApp) or BYOK LLM keys in an agent's config. These environment/secret needs are proportional to the feature set, but the metadata omission (no declared required env vars) is an inconsistency and users should be aware of the sensitive secrets the flow requests.
- Persistence & Privilege
- okSkill does not request always:true and does not modify other skills or global agent configuration. It instructs creating API keys and writing them to the agent/account (normal for this purpose). Note that with the created HATCHER_KEY an agent could create resources (agents, subscriptions) and perform actions within that account's allowances — users should treat the key as sensitive and limit permissions/credits.