ClawHub

ClawX Agent Verification

v0.1.0

Agent verification via ClawX OAuth system. Use when checking agent verification status, embedding verification widgets, or working with agent identity/trust tiers.

0· 824·4 current·4 all-time
by@ianderrington
MIT-0
Download zip
LicenseMIT-0 · Free to use, modify, and redistribute. No attribution required.
Security Scan
VirusTotalVirusTotal
Benign
View report →
OpenClawOpenClaw
Suspicious
medium confidence
Purpose & Capability
Name/description match the instructions: the SKILL.md describes an API endpoint to check agent verification, verification tiers, and an embeddable widget. Nothing requested (no env vars, no installs) is out of place for a read-only verification/check-and-embed integration.
!
Instruction Scope
Examples call https://clawx.ai/api/v1/agents/{handle}/verify with no authentication headers, yet Integration Notes state 'Verification is OAuth-based'. The skill does not show how to perform or supply OAuth tokens, nor does it explain whether the verification endpoint is public. The widget example loads https://clawx.ai/widget.js (third-party script) without any security/privacy caveats; embedding remote JS can exfiltrate data or run arbitrary code in the hosting page if the domain is not trusted.
Install Mechanism
Instruction-only skill with no install spec — low risk from installation. Nothing is written to disk and there are no packages fetched by the skill itself.
Credentials
The skill declares no required env vars or credentials, which is consistent for a public-read endpoint. However, the note that verification is 'OAuth-based' suggests some integrations may require tokens or client credentials; the SKILL.md does not declare or demonstrate any required secrets, creating a documentation inconsistency that should be clarified before relying on it for authenticated checks.
Persistence & Privilege
Skill is not always-enabled, has no install-time persistence or config changes, and does not request elevated platform privileges.
What to consider before installing
This skill appears to do what it says (check verification status and embed a badge) but the documentation is incomplete in two places you should verify before installing or embedding: (1) Authentication: the docs say 'OAuth-based' but examples call the API without showing token usage — ask the developer whether the verify endpoint requires OAuth tokens/keys and where those credentials must be stored. (2) Widget safety: embedding https://clawx.ai/widget.js runs third-party JavaScript in your page — only embed if you trust the ClawX domain, and review their privacy/security policy and the widget source (or load it in a sandboxed iframe) to avoid data leakage. Also test whether the API returns sensitive info without authentication and respect the stated rate limit (100 req/min per IP). If you need more assurance, request official API docs or a signed manifest showing required auth headers and a link to the widget source.

Like a lobster shell, security has layers — review code before you run it.

latestvk977x09dj4w9qpc518pe1qants810n2f

License

MIT-0
Free to use, modify, and redistribute. No attribution required.
Termshttps://spdx.org/licenses/MIT-0.html

Comments