Skillv1.0.3

ClawScan security

Omnis Venture Intelligence · ClawHub's context-aware review of the artifact, metadata, and declared behavior.

BenignMar 3, 2026, 2:03 PM

Verdict: Benign
Confidence: high
Model: gpt-5-mini
Summary: The skill is an instruction-only, read-first connector for the bamboosnow.co venture discovery API; its declared requirements and instructions are consistent with its stated purpose and it does not request unrelated credentials or install artifacts.
Guidance: This skill appears coherent and read-only, but take these practical steps before installing or using it: 1) Verify the bamboosnow.co service and its OpenAPI docs (https://www.bamboosnow.co/docs/api/openapi.v1.yaml) match your expectations. 2) Only provide an API key interactively when you trust the provider; do not paste broader cloud credentials or long-lived secrets. Prefer a scoped or ephemeral key if possible. 3) The skill forbids billing POSTs — if you need to fund anything, use the hosted checkout URL yourself rather than asking the agent to perform writes. 4) Monitor any account activity or billing after first use. 5) If you require higher assurance, ask the publisher for a security/privacy contact or review a signed, hosted OpenAPI spec before granting access.

Purpose & Capability: okName/description align with the runtime instructions: all calls described target bamboosnow.co endpoints for discovery/scoring. No unrelated binaries, env vars, or config paths are requested.
Instruction Scope: okSKILL.md limits operations to read-only GET calls, documents billing safety (explicitly forbids billing POSTs), and instructs the agent not to search local files or environment for credentials. All referenced resources are on the stated domain.
Install Mechanism: okNo install spec and no code files — the skill is instruction-only, so nothing is written to disk or downloaded during install.
Credentials: okThe skill declares no required environment variables or primary credential. It documents an x-api-key header for authenticated endpoints and instructs the agent to request an API key from the user in-session rather than scanning env/files — this is proportionate to the described API usage.
Persistence & Privilege: okalways is false and there is no install-time persistence. The skill can be invoked autonomously (platform default), which is expected for plugins of this type and is not combined with any other elevated privileges here.